Trust, but verify: mitigating Third-Party Risks


Third-party vendors and partners have become an essential source of added value and strategic benefit for many businesses in the era of speedy digitalization of services and products. But the pros of outsourcing come with their cons. The number of headline stories of reputational damage that arise from third-party breaches in digital space (think Solarwinds, General Electric, Instagram, Marriott), illustrates the increasing importance to ensure well-managed third-party relationships and the execution of a set of actions to lower the risk they might cause.

The adoption of new collaborative business models and the extensive use of Cloud/IoT increases the number of companies who face liability risks and witness rising exposure to disputes from their end-users. The risks are amplified in cases where a company has engaged with less risk-averse third parties, like startups, and/or has limited insights into complex value-chains and digital processes. This blog post examines three trends related to conducting business in digital spaces that involve third-party risk and highlights the challenges that companies face being a part of those shifts.

Trend 1. Products and services move beyond their typical environments.

Healthcare device manufacturers and service providers are a great example here. They are witnessing medical procedures moving from controlled hospital settings to smaller distributed clinics or even to homes. While the technology itself and the supporting infrastructure can already support the transfer, the new workflows, data management principles, and liability concepts still need to be designed accordingly. Healthcare organizations and vendors also see that the increasing reliance upon third-party medical devices connected to the internet creates new vulnerabilities. Both in terms of data breaches, but also in terms of the quality and safety of the service. In either case, for the central player in the value-chain, it’s a less controllable risk that can still hit hard and lead to long and costly disputes.

Trend 2. The business value of third-party cooperation is globally comprehended.

Most industries have understood that open innovation and wider collaboration with third parties can expand their service/product portfolio and improve the overall value proposition to their clients. As a result, blends of traditional and digital businesses emerge upon co-development and joint ventures, platform models, and API-connections. While the technological aspects are fit for such dynamic value-chains and partnerships, the shared responsibility and liability models are often unclear. For example, in the US, third-party risk costs the healthcare industry around 25$B every year, as half of the healthcare organizations have experienced a data breach introduced by one or more third-party vendors in the last two years. But while the added value from such partnerships has become critical and the key driver of innovation and improved service, organizations must find new methods for mitigating that risk. Considering that today only 27% of healthcare assess all their vendors annually, it’s clear that most of such partnerships run on blind trust, exposed to extensive liability risks.

Trend 3. Companies grasp the benefits of Cloud, IoT, AI/ML.

Businesses and organizations understand that their efficiency and productivity are of utmost importance to succeed and gain value. Thus, any edge that can be gained by advanced process automation and the adoption of novel technologies is sought out and implemented. While this would mean a more seamless user experience and streamlined processes for end-users, it adds complexity to the backend - Cloud emphasizes the risk of misconfigurations, IoT has notoriously bad security and AI/ML remains a “black box” for most. Considering that these solutions are often adopted from third parties with no or little expertise in their own teams, it can lead to a significant liability risk or a potential source of disputes for organizations.

New environments, new partners, new technologies - many organizations end up in a pile of black boxes. They actually can’t see in the processes that are closely integrated or linked with their business or understand the tech either. The question is - how to achieve trust and mitigate your liability risks in such a setting?

Several challenges arise from the interaction of those trends that can damage organizations and/or hold them back from engaging with new opportunities. 

  • Shared responsibility models - it’s often unclear how the liability is divided or shared in complex value-chains and service models. Detailed contracts, SLAs, regular audits, etc. can help one to some extent, but they remain reactive, slow, and costly. Organizations are looking more towards continuous compliance and zero-trust solutions - tools that enable them to maintain situational awareness and be more reactive to exposed third-party risks.
  • Lack of visibility - understanding and securing systems, data, and processes across value-chains are getting increasingly expensive, and even impossible in hybrid infrastructures and multi-party processes. Excessive logging and analysis through SIEM tools are not possible for many organizations due to the bloating cost and limited technical capabilities, leaving many operating upon blind trust and passive defense solutions.
  • Misconfigurations and misuse - malicious actions, but even more so unintentional human errors in digital space are increasingly common and a top cause of concern, as they result in critical vulnerabilities, data leaks, attempts to cover-up mistakes, etc. Active monitoring of critical configurations and key SLA requirements would help to discover any deviations in real-time and start preventing such vulnerabilities to happen in the first place. As much as this is an improved control mechanism over complex value chains and third-party vendors, it’s also putting a safety net underneath your inexperienced staff and partners in those new business models, technologies, and workflows.

Guardtime’s answer to these challenges could be summed as “truth, not trust”. We know that the more one can see and verify with full certainty about who did what, when, and how in digital processes, the less effort goes into trust-building, auditing, and dispute settling.

TrueTrail is Guardtime’s robust software-based tool, built upon KSI Blockchain - our EU eIDAS accredited and globally deployed trust technology. TrueTrail works as an add-on to existing logging and monitoring systems, enabling organizations to establish the TRUTH about any digital process, even across distributed networks, complex value chains, and integrated technologies for effective third-party risk management (TPRM).

Schedule a quick call with us and let’s explore how TrueTrail fits into your existing or planned security posture and how it adapts to your specific workflows.