Of all the issues on the cybersecurity front, managing third-party risk can be one of the most challenging. In today’s tech-enabled world, organizations have hundreds or thousands of data-sharing connections to vendors, suppliers, partners and contractors that are vital for operation. But these connections are also a cybersecurity catch-22. Your organization’s web of third parties acts like a living system comprised of many separate organs. If one of these is injured, it impacts the entire system—damaging your ability to do business and hurting your bottom line.
History shows us that third-party risk isn’t going away anytime soon. There will always be inherent risk when connecting your organization’s infrastructure, data, systems, and applications to a third party. This is supported by a SecureLink study which found that 51% of organizations had experienced a data breach caused by a third party.
Even after significant, high-profile breaches, few organizations place an appropriate priority on third-party risk management. Numbers from a recent CBI and Ponemon study back this up: Although 75% of respondents are concerned about the ransomware risk posed by third parties, only 36% say their organizations evaluate third-party security and privacy practices.
It’s important to know if an essential vendor you work with has failed its recent IT security audits or has a history of breach incidents. With this information, you would probably consider looking for other potential vendors. At the very least, you would place extra safeguards within your infrastructure to defend against any attacks originating from that vendor.
Third-party risk management isn’t just an insurance policy or a necessary evil. It reveals information you can use to make informed decisions about your business partners to minimize technical exposure and financial risk to your bottom line.
Third-party risk management may be complex, but it doesn’t have to be overwhelming, especially if you have our roadmap to get started. No matter the size of your organization, the focus should be on these eight crucial areas.
The first step in any successful third-party risk management program is forming a committee of relevant stakeholders. The committee is usually led by a CIO or CISO (or designee) and should include business unit managers and representatives from purchasing and legal. A supportive executive team willing to invest the necessary time, budget and resources is another key factor in a successful program. Include executive representatives on the committee who can provide insights and help keep things moving forward.
Representation across the organization is necessary because your bottom line can be immediately affected when a critical supplier gets hit with a cyber attack that takes its network down.
It’s critical and sometimes required for publicly traded organizations with a board of directors to establish such a committee.
One of the biggest mistakes I see organizations make when it comes to their third-party risk management program, other than not having a program at all, of course, is giving responsibility for the entire program to IT. While IT is an important cog in the machine, third-party risk management is a board-level business conversation requiring involvement from multiple disciplines. Most IT teams aren’t qualified to fully develop, implement and, ultimately, manage the program.
Once the committee forms, it’s time to list and prioritize the companies you connect to and purchase products and services from. Ultimately, you are identifying g critical vendors— ones with products or services essential to your organization’s business and operations—and high-risk vendors with access to confidential data, systems and applications. Critical vendors and high-risk vendors may overlap.
Your CISO may not know all the answers when it comes to identifying critical suppliers. This is where purchasing and other members of the executive team come in. Following the money is key in third-party risk management and they generally know the products and services procured.
Determining which vendors are critical helps to imagine the state you would be in if that supplier disappeared. What if that third party is hit by a cyber attack that completely locks up their systems and they can’t deliver? The supplier is probably critical if your business operations or ability to deliver your products or services is considerably impacted.
There might also be a time when it’s necessary to go a step further and consider fourth parties—the companies that provide critical products or services to your critical vendors.
Now that you have your list of critical and high-risk vendors, it’s essential that you understand your connections to these parties. What type of network access do they have, and which systems can they access? Are you sharing data with them, and how sensitive is that data? Do you have any integrated workflows, processes or procedures? Use these results to fine-tune your list of critical and high-risk vendors.
The next step is to agree on security standards for assessing your vendors and suppliers. Do you want them to report that they are performing penetration tests or vulnerability assessments, and how often? Do you want them to confirm that they have a list of basic security protocols in place or specific practices such as employee security training, disaster recovery, business continuity, etc.? Do you want them to provide a SOC report? Do you want them to conform to industry standards such as NIST, TISAX, PCI DSS, CCPA, or another standard specific to your industry? If you need them to conform to a standard, that standard should guide the questions you ask.
Many cybersecurity integrators have a third-party questionnaire to get you started. A questionnaire can fast-track your program and is easily adaptable to your security requirements and concerns.
It’s time to roll up our sleeves and put in the hard work. This step is where your IT team usually gets involved in contacting the identified critical vendors for information based on the standards you established in Step 4.
If you’re a large enterprise, automated platforms such as OneTrust Vendorpedia, Prevalent, BitSight, and Security Scorecard can help you do this. These tools create, publish, send, track and report on the level of risk vendors pose to your organization. In some cases, they can facilitate the distribution and collection of data contained within a security-based survey.
If you’re a smaller organization doing this manually, you can send out a simple request for this information.
Once you’ve received vendor responses, feed them into a dashboard so the committee, executives, etc. can view the results.
The findings must be viewable in an easily digestible format your audience can use to make informed decisions. This is a crucial part of the program because people in other parts of the business have big dogs in this fight. They may want to use a provider despite the IT risk. You need to be able to represent risk visually in a meaningful way.
This can be achieved by aggregating the data and assigning each vendor a risk score, whether a number, a letter grade on a scale of A to F, or a red/yellow/green dot. This data can be applied to a heat map to see how that vendor drives risk for your third parties.
Your stakeholders should be able to view the results in a way that is relevant to them. For example, finance stakeholders should be able to see how much money is spent with a vendor compared to the vendor’s risk score. If your company spends millions of dollars with a vendor who represents a high risk to your organization’s security, your stakeholders should be able to see this clearly. From this point, it can be decided whether or not to accept the level risk, put a remediation plan in place, or start the process of offboarding a particular vendor.
Next, the CIO/CISO takes the information forward and shares it with the committee, the executive team, and the board. Let’s say you’ve discovered that a critical vendor providing raw materials needed to make your product is behind the security curve. Additionally, this vendor exchanges your highly sensitive product design documentation as well as specific procedural patents. Your decision-makers should clearly understand this and adjust business relationships and negotiate contracts if needed.
Third-party risk management is not a one-and-done job; it’s a continuous endeavor. Your organization is constantly onboarding and offboarding third parties that connect and disconnect from your network. Keep a clean house by regularly and persistently evaluating the status of your vendors, suppliers, service providers, partners and contractors. This should be part of your organization’s continual process.
Evaluate new and ongoing business relationships for ways to improve the security of your third-party connections. How can you prevent them from accessing data or systems they shouldn’t? Could a malicious actor find their way to your critical data if they were to leverage that connection?
Properly decommission third-party business relationships when needed by deactivating service and user accounts, terminating data flows, and acquiring proof of secure data disposal from the third parties whenever possible. Consider establishing an automated decommission process aligned to third-party contract expirations.
The bottom line is that a well-run third-party risk management program is a pillar of a strong cybersecurity posture. You can have a stellar security program in your organization, but your business can suffer reputational, regulatory, operational, and financial damages if an interconnected third party doesn’t.
Third-party business relationships can be considered a marriage of sorts, given the level of trust involved when sharing data and business risk. When approached from that perspective, it only makes sense to do due diligence and carefully evaluate potential and current business relations. A third-party risk assessment from CBI is a great way to take the right approach for your business.