OPM is not alone: More Third Party Risk in the Federal Government

Third-Party Risk Management Insights: 2015 Gartner Security & Risk Summit
Written by Ben Fagan
VP, Corporate Strategy & Chief of Staff

Last month, the Office of Personnel Management revealed the true extent of it’s mega data breach - 21.4 million Americans. This means that around 7% of all Americans are affected by this breach. Lawmakers are beginning to debate how the federal government can implement twenty-first century policies to counter growing cyber threats. A recent study from the US GAO noted that there was a 32.5% increase in cyber incidents at federal agencies from 2012 to 2013. As lawmakers begin to look internally at policies and processes to combat these threats, it is important that they also look externally. Primarily this means taking note of third party risks and emulating models of success found in other industries.

While Bitsight never publicly discloses individual company ratings, we do provide aggregate analysis on industry-specific trends. In the past, we have published Bitsight Insight reports on industries that are lagging behind others when it comes to cybersecurity, notably healthcare and education. In light of the latest government hack, Bitsight has analyzed the Government sector along with the Defense Contractors sector to see where they stand in relation to other industries. Defense Contractors are a key third party for the federal government. As the manufacturers of everything from planes to computers, these companies are given access to sensitive and confidential information - some of it crucial to national security.

To understand the cybersecurity posture of these two industries, Bitsight has compared their performance to industries we have previously analyzed: Finance, Retail, Healthcare and Education. Bitsight rates over 27,000 organizations daily on their security performance by aggregating publicly accessible information and assigning this to specific entities. With these ratings, customers are enabled to benchmark their security performance against industry averages and peers, monitor third party vendors risks, underwrite cyber insurance and conduct due diligence.

As you can see in the table below, both the Government and Defense Contractors fall into the middle of the pack among industry sectors1. They perform better than Healthcare and Education - two industries that have experienced high profile breaches and major security issues over the past year. Nevertheless, they also fall slightly behind retail, which was grabbing headlines throughout 2014 for major breaches affecting some of the US’s largest retail giants.

As lawmakers continue debating how to overhaul the government’s outdated technology regulations and processes to address major security threats, it would be wise for them to take a look at their third party vendors as well - starting with defense contractors and other high-risk vendors. While these companies are by no means the lowest performers, third party risks have been a major source of known vulnerabilities and these companies hold incredibly sensitive information. Jacob Olcott, VP of Business Development, notes that in many government agencies, teams are still struggling with the basics of third party risk management and focusing on items like contractual updates. Meanwhile, agencies are still being breached and clear risks are being ignored. “It’s time the government starts embracing more of the practices that its regulators are pushing for private industry to adopt. Their guidance has included continuous performance monitoring, more frequent risk assessments and clearly defined terms for breach liability.”

One place that lawmakers can look to for guidance is the Finance industry. Banks and financial institutions have been setting an example for years by creating a risk aware culture that promotes good security hygiene. They consistently outperform other industries and share information among themselves using forums such as FS-ISAC. A crucial part of their success is the implementation of vendor risk programs that allow them to effectively monitor vendors and mitigate potential third party risks before they lead to a breach. This year’s Verizon DBIR report noted that in 70% of observed attacks there was a secondary victim, such as a vendor or third party.

As Washington begins to look internally to tackle cybersecurity, lawmakers should also look outward to emulate the example of financial services and manage third party risk before another major breach occurs.

1 Note: The Defense Contractor industry comprises 80 companies with a range of ratings from 390-790. Average Ratings do not provide an indication of any one company’s security performance.