The Importance of Third-Party Risk Management in South Africa

In an increasingly interconnected business landscape, third-party risk management (TPRM) has emerged as a critical component for organizations worldwide. However, in South Africa, this essential aspect of risk management has not received the attention it deserves. Recent discussions among experts in the field have highlighted the urgent need for South African organizations to better manage third-party risks to mitigate a range of potential threats.

The Need for Enhanced TPRM

During a recent webinar hosted by the Cybersecurity Special Interest Group (SIGCyber) of the Institute of Information Technology Professionals South Africa (IITPSA), industry experts underscored the importance of TPRM in reducing cyber risks and other broader business vulnerabilities. Andrew Henwood, a prominent figure in the discussion, emphasized the notion that “you’re only as strong as the weakest link in your supply chain.” This statement resonates deeply in light of recent cyber exploits, where attackers have targeted less secure suppliers rather than attempting to breach larger, more fortified organizations directly.

Henwood elaborated on the significance of TPRM, stating, “If third-parties touch your sensitive information or infrastructure, they all need to be considered in your risk management strategy.” This perspective highlights the necessity for organizations to scrutinize not only their internal security measures but also the security protocols of their vendors, suppliers, partners, and managed service providers.

A Broader Perspective on TPRM

While many organizations tend to focus solely on third-party cyber security risks, Richard Frost pointed out that TPRM should encompass a wider array of considerations. “It needs to monitor the performance of those third-parties and ensure you are granting them access to only that part of your environment that they require—no more and no less,” he explained. This holistic approach to TPRM is crucial in today’s interconnected environment, where the implications of third-party relationships extend beyond cyber security to include reputational, legal, and financial risks.

Doctor Mafuwafuwane echoed this sentiment, asserting that managing third-party risk is no longer optional; it is essential for all businesses, regardless of size. He emphasized the importance of comprehensive onboarding, offboarding, and ongoing management of vendors and partners, particularly those with access to sensitive data. “Most of the data breaches we see today are due to third-parties who had access to data,” he cautioned.

Moving Beyond Traditional Approaches

The panelists agreed that organizations must evolve from traditional TPRM approaches that rely on simple questionnaires sent out annually. Henwood criticized the outdated practice of using Excel spreadsheets or Word documents filled with questions derived from open information security standards. While such methods can help define expectations, they often lead to superficial responses from suppliers eager to maintain business relationships. “It is unlikely that a supplier will admit they actually don’t patch their systems regularly,” he noted.

Frost added that even if suppliers provide honest answers, the rapidly changing nature of technology means that compliance today does not guarantee compliance tomorrow. To address these challenges, Mafuwafuwane recommended moving away from spreadsheets and adopting automated tools for performance monitoring. He also suggested categorizing suppliers based on the level of risk they pose, allowing organizations to tailor their TPRM strategies accordingly.

Implementing a Zero Trust Strategy

A robust TPRM strategy should also incorporate a Zero Trust framework, which involves identifying, classifying, and masking data to protect sensitive information accessed by third-parties. Henwood highlighted the availability of tools that facilitate outside-in validation and monitoring, utilizing open-source threat intelligence to provide organizations with a “hacker perspective” of their external vulnerabilities. These tools can operate on a near-continuous basis, offering real-time insights into potential risks.

Balancing Compliance Costs and Business Relationships

One of the pressing questions raised during the webinar was the balance between compliance costs and the revenue generated from third-party agreements. Frost queried, “At what point does the cost of compliance outweigh the revenue a third-party agreement would bring in to a supplier?” Henwood responded by emphasizing the obligation of any organization handling sensitive data to maintain security and compliance.

He noted that larger corporations have implemented TPRM programs that set reasonable expectations for smaller organizations. “They require bare minimum measures all organizations should be implementing to be inherently secure,” he explained. By focusing on fundamental assessments, organizations can gain a clearer understanding of their external exposure. For instance, a simple 20-minute assessment can reveal an organization’s entire external footprint, including exposed servers and open ports.

Conclusion: The Path Forward

As South African organizations navigate the complexities of third-party relationships, the importance of effective TPRM cannot be overstated. By adopting a comprehensive approach that goes beyond traditional methods, organizations can better protect themselves against a myriad of risks. The insights shared by experts during the SIGCyber webinar serve as a clarion call for businesses to prioritize TPRM, ensuring that they are not only compliant but also resilient in the face of evolving threats.

In a world where data breaches are increasingly common, the need for robust third-party risk management strategies is more critical than ever. Organizations must take proactive steps to safeguard their sensitive information and maintain the trust of their customers and stakeholders.