Managing Third-Party Risks With Continuous Controls Monitoring
Third-Party Risk Management (TRPM) is the process of analyzing and controlling risks presented to your company, your operations, your data, and your finances by Third Party Service Providers (TPSP). Most companies rely on a network of third-party vendors, suppliers, and service providers to support their business. As an integral part of the overall business operations, third-party entities end up storing, collecting, uploading, and accessing data as needed.
However, adding TPSP users to your ERP applications also increases the risk of data exposure and the possibility of breaches. Though most businesses have access controls in place and undertake periodic audits to assess and mitigate this risk, TPSPs are still one of the major causes of data breaches, and typical static access controls are not enough. According to Gartner’s Continuous Adaptive Risk & Trust Assessment (CARTA) model, organizations need to move away from the initial one-time, yes/no risk-based decision at the main gate to their systems (managed by a static authentication and authorization process) to a continuous, real-time, adaptive risk and trust analysis of user anomalies with context-aware information across the platform. (Context-aware security is the use of situational information, such as identity, geolocation, time of day, or type of endpoint device, found in Attribute-Based Access Control (ABAC) models.)
Additionally, with roles and authorizations constantly changing across your ERP applications, keeping track of changes manually at the transaction, process, and application level is virtually impossible, and with the hundreds or even thousands of TPSPs you may have, it’s difficult to monitor user activities with traditional role-based access management solutions to quickly detect and stop threats. This is where ABAC and Continuous Controls Monitoring (CCM) are making huge strides to change the overall approach to continuously identifying, detecting, protecting, and responding.
The Third-Party Risk Landscape
Before diving into the need for CCM, it is crucial to understand the gravity of the security situation when it comes to third-party access. Digital relationships with third-party providers have become a necessity today. Collaboration with third-party vendors increases opportunities for business growth, capturing market share, and cost reduction, but the flipside is an increase in security breaches.
A 2018 Opus & Ponemon Institute survey of more than 1,000 CISO’s revealed that 61% of U.S. companies had experienced a data breach caused by one of their third-party providers – up 12% since 2016. Furthermore, 22 percent of respondents admitted they didn’t know if they had a third-party data breach during the past 12 months, and more than three-quarters of companies think third-party security breaches are increasing.
On average, organizations spend more than $10M responding to third-party security breaches each year. However, information security is not the only area impacted. Third-party relationships can introduce strategic, financial, operational, contractual, credit, compliance, business continuity, and reputational risks.
Research conducted by Gartner in 2019 found that third-party risk was identified as a top threat by compliance leaders, and 71% of organizations report their third-party network contains more third parties than it did three years ago. Furthermore, the same percentage reports their third-party network will grow even bigger in the next three years.
What is Continuous Controls Monitoring?
Gartner defines continuous controls monitoring (CCM) as “a set of technologies to reduce business losses through continuous monitoring and reducing the cost of audits through continuous auditing of the controls in financial and other transactional applications.”
In simpler terms, CCM is shifting from the traditional audit and assessment approach of randomly sampling a portion of the data over regular intervals to monitoring 100% of the transactions and controls continuously 24/7, 365 days a year.
A core objective of CCM is to ensure that those controls operate as designed and that transactions are processed appropriately. If done right, CCM not only increases the reliability of the controls but also improves the management oversight, policy enforcement, and operational efficiency for critical financial processes, often producing hard-dollar savings.
How Continuous Controls Monitoring Reduces Third-Party Risk
The risk posed by providing access to third-party vendors makes it imperative for businesses to ensure that third-party access to applications and data is controlled and audited. Unfortunately, despite having access control mechanisms in place, third-party data breaches have been on the rise. One of the key reasons for this is the lack of effective monitoring of user anomalies. Roles and authorizations are never static. As new vendors are added, granted varying degrees of authorizations, and terminated from the system, there is a need to continuously monitor access controls and user behavior associated with critical data.
Current auditing practices are primarily manual and time-consuming, with auditors only looking at a sample of the data logs. As a result, a significant part of the process and transaction-level data is still going entirely under the radar. By implementing tools and technologies that enable Continuous Controls Monitoring (CCM) at the access, transaction, and master data level, businesses can automate the risk and control assessment and monitoring process needed to observe control effectiveness for audit, risk, & compliance management programs.
Enabling Continuous Controls Monitoring with Pathlock Security
The list of third-party vendors your business is working with is only going to grow over time. In addition to managing the security risk, companies must also comply with regulations like GDPR, SOX, CCPA, etc., which adds additional burden and cost. CCM technologies offered by Pathlock help provide real-time, context-based monitoring within your ERP applications at the access, transaction, and data level to enable you to be audit-ready.
Appsian 360 helps you detect and respond to fraud, theft, and errors by employees and third parties by capturing granular data at multiple levels. Through a visually rich dashboard, you will be able to identify data access and usage trends at the business process, transaction, and data level that reflect suspicious activity by any third-party vendors. In addition, the continuous monitoring and detailed log data eliminate much of the manual work required for performing audits and ensures that you remain compliant with new data privacy regulations.
Pathlock’s Identity and Access Management (IAM) simplifies and elevates user access management in dynamic multi-vendor ERP environments. It enforces the zero-trust principle, enables content-based, real-time, dynamic risk and trust analysis of user anomalies, and configures preventative controls at the business process, transaction, and field levels. Finally, it allows policy enforcement through the use of the ABAC security model.
ProfileTailor GRC enables you to automate user provisioning to ensure effective role assignments to third-party vendors. The solution allows auditors and security managers to perform periodic user access reviews and recertification to maintain compliance and security within your ERP applications. With ProfileTailor GRC, a single SoD ruleset can be enforced across multiple ERP applications, simultaneously ensuring third-party vendors across your organization have controlled authorizations. In addition, the real-time monitoring capabilities of ProfileTailor GRC is an AI and machine learning empowered solution that conducts an impact analysis to alert you to violations as they happen while providing mitigating controls to prevent future violations.
Connect with our ERP security experts to learn more about how Pathlock can enable Continuous Controls Monitoring to mitigate your third-party risk. Schedule a Demo.