The Risk of Breaches and Attacks via Third Parties
About 57% of respondents to the 2023 CSA Report on Third-Party Risk have seen a breach or attack via their third-party providers. Almost four out of 10 respondents (39%) identified a business partner, subcontractor or IT services provider as responsible for the incident. Organizations of all sizes see an average of three attacks via third parties per year. A total of 79% of the companies plan to invest in third-party risk management technologies.
During many sourcing transactions over the past years, we have observed a rather relaxed handling of cybersecurity. User organizations provide their set of internal standards and providers are requested to follow them – after showing their compliance by ticking all related questions in a questionnaire. In one case, a renowned provider suggested its large manufacturing client use the provider’s policies instead of its own. The enterprise thought, “we are both on ISO27; there won’t be big differences.”
But these policies and procedures are what governed the management and operations of the manufacturer’s cybersecurity, and, in fact, dealing with the complexity of the provider’s policies and procedures proved to be quite a challenge. Many of the policies existed as read-only files for auditing purposes.
We have seen examples of 200, 700, 1,200 and even 2,000 pages of client security regulations – and we can tell you the number of security regulations is no indicator of quality.
How to Evaluate Provider Policies and Procedures
Who should read and understand all this information?
A fully focused human requires more than 23 hours to read a total of 700 pages – and reading does not equal understanding. For a complete understanding of structure and content, it takes a human two to three repetitions. Reading and understanding a set of policies and regulations of a contractual partner against similar provider policies and procedures would take someone a total of 12 to 18 days.
Comparing important documents is a challenge on its own. Comparing semantic relatedness of documents is a higher-order workload altogether. Manually comparing security assessment findings between two sibling companies shows that up to 50 short and easy understandable sentences can be compared per hour. This results in the need for 125 person-days for the comparison of two 700-page documents, which is equivalent to half a year. Of course, interruptions disrupt and prolong the process. Quality assurance of this kind of work can be assumed to be about 50%. All told, this work would carry a budget requirement of more than $200,000.
To understand the scaling effect of comparing sentences, it is worth understanding that the doubling of the number of documents results in a quadrupling of the number of comparisons. In the chart below, the base scenario for the comparison is two 10-page documents with 20 sentences per page. The lines below the base scenario show the scaling effect as the size of the documents grows.
| Number of pages per document | Number of sentences per document | Number of sentence comparisons | Scaling effect |
| 10 | 200 | 40,000 | Base number |
| 20 | 400 | 160,000 | 4x the number of comparisons |
| 50 | 1,000 | 1,000,000 | 25x the number of comparisons |
| 100 | 2,000 | 4,000,000 | 100x the number of comparisons |
As you can see from the math, the security policy and procedure comparison workload can quickly get out of hand.
And yet, experts agree that the average total cost of a single breach is about $4.35 million. This can be avoided with a solid, common understanding of how to manage and operate cybersecurity.
How to Align Your Supply Chain for Improved Cybersecurity
Organizations have created all kinds of solutions to help them improve the efficiency of comparing security policies and procedures. Some use Adobe Acrobat and Microsoft Word to compare words or sets of words, but they have found these solutions cannot compare the semantical meaning of sets of words. Others use Microsoft Excel, which requires previous segregation of documents into sentences and cannot match keywords in alternate phrasing.
Enterprises can dramatically improve their understanding and alignment of security policies and procedures across providers in a supply chain with AI technology designed to semantically compare text. The AI-powered ISG Security Policy and Procedure Review Tool improves the quality of comparisons between documents and saves up to 70% of manual work in a single project. It can save up to 90% in repetitive comparisons when a large group of companies aligns their policies within their group, when companies analyze their standard against the standards of providers or when providers need to semantically compare the recipient’s set of documents against its own.
Companies can simply upload documents from digital formats or content from corporate wikis and set thresholds to provide the AI with the expected level of confidence. Then the AI analyzes the structure of the documents and semantically compares the content.
With AI, the ISG Security Policy and Procedure Review Tool reads documents in seconds, achieves semantical understanding in minutes and performs semantical quality comparisons in hours. Contact us to find out how we can get you started.
About the author
