Third-party risk management is an essential part of a company’s cybersecurity strategy but one that doesn’t often get the attention (or resources) it needs. But if it’s ignored, enterprises are leaving one of their biggest sources of risk open to criminal hackers, bad actors, and nation-state attackers. They can also leave themselves liable to reputational or operational risk if their third-party fails to secure themselves or falters.
In this primer, we’ll show you what third-party risk management is, how to develop a third-party risk management strategy, best practices, and how to prepare your organization to further develop and optimize your third-party risk management in your cybersecurity department.
What is Third-Party Risk Management?
Third-party risk management is ensuring that your third-parties are given the same (or more) cybersecurity and risk due diligence as your own company. Third-parties include your contractors, subcontractors, third-party vendors, cloud-based vendors—basically any company that, if they were subject to a data breach or accidental exposure, could either expose your own systems or your own sensitive information.
For example, your marketing team is likely using a third-party email marketing provider for their customer newsletters. It contains personal information about your customers such as their name, email address, and depending on the third-party’s integration, may contain more sensitive information such as shipping address, purchase history, and more.
If that email provider is breached, your customers’ information is leaked and your organization is responsible for remediation, response, and communication, an issue that may be difficult if you aren’t alerted to the breach. This kind of risk is present across most, if not all, third-parties, which is why it’s crucial to be aware of the risks involved.
VendorCentric has a great breakdown of the different types of risk posed by third-parties. Here’s a quick summary.
Reputational Third-Party Risk
Due to political, operational, relational or some other reason, an association with a third-party can affect your own reputation. If a brand comes under fire and it’s found out that you’re working with them in some way, the blowback may reach you, affecting your own customer relationships and revenue.
Operational Third-Party Risk
With the rise of cloud vendors and cloud-based infrastructure, many companies, especially enterprises, rely on their third-parties to run their business operations. For example, many companies use AWS as their cloud hosting provider—if AWS comes down (which has happened before), a company’s site or services may go offline with them.
Compliance Third-Party Risk
Government compliance and regulations are increasingly turning their attention to third-party risk with NIST recently releasing a special publication for information security that had a significant focus on third-parties. Depending on your industry, certain compliance and regulations require companies to ensure they have some sort of third-party risk management in place and are liable for their third parties’ compliance.
Information Security Third-Party Risk
This is, arguably, the most important risk and can affect the types of risk mentioned earlier. You may have invested in your own cybersecurity department to ensure you’re keeping your organization secure. But do you know if all your third-parties are doing the same? Do you know if your data held in their servers are kept as securely as you’d like? Do you know what their plan is in the case of a breach and are they taking steps to ensure a hacker can’t reach your network? Famously, the 2013 Target hack was initially the result of an HVAC vendor being hacked and exploited to reach Target’s systems and steal credit card data from millions of customers.
This article will mostly focus on information security risk as it can affect and prevent other types of third-party risk from affecting your organization.
Why is Third-Party Risk Management Important?
Without third-party risk management, you’re leaving yourself exposed. If a state-sponsored hacker or bad actor is looking to reach your organization’s network, they know that the easiest way into a company is through its weakest links. Most often, that’s through third-parties and employees. That risk is ever increasing as more and more companies bring on more vendors to handle all kinds of business processes. A 2019 survey by Gartner showed that 71% of organizations reported having more vendors in their third-party network over the last three years and 83% of executives said they identified third-party risks after initial onboarding and vendor due diligence.
Having a strong third-party risk management strategy in place can help identify risks within your third-party network, mitigate that risk, reduce and prevent the damage in case of an incident, and help you respond to any breach or attack, helping you resolve issues before they can impact you or your customers too much.
Challenges Companies Cace with Third-Party Risk Management
Visibility: You may not have the right processes or tools in place to keep track of all your company’s third parties. Rogue employees or departments might also decide to onboard new vendors without your knowledge (this is commonly referred to as “shadow IT”) This makes third-party risk management difficult because you can’t account for or assess the vendors you aren’t aware of.
Liability and Response: Depending on your contract terms or agreements, if a third-party is breached and your information is leaked, they may not be required to tell you about the breach as soon as it happens. If you’re kept in the dark about such an issue, a bad actor may find its way to you without you even knowing and your ability to respond to the incident would be severely affected. They may not also be required to be up to par with your compliance or regulatory standards which can lead to fines or other regulatory problems. Knowing specific terms and agreements in the case of security incidents and regarding regulations is key to managing your third-party risk.
Measures and Processes: Just like you have security measures and processes for your own cybersecurity department, third-party risk management requires a similar approach. You have to put processes in place to ensure no vendor gets onboarded without your knowledge and due diligence. As for business-critical third-parties, you need to have contingency plans, tools, and strategies in place so you know if and when that vendor gets breached, can prevent further damage to your own organization, and can respond and communicate appropriately.
4 Best Practices for Third-Party Risk Management
Third-party risk management is a process and there’s no one solution that fits any organization. As with most risk and security strategies, approaches must be tailored to an organization’s needs, resources, size, industry, and compliance requirements.
1. Take Inventory
Once you have an understanding of your organization’s specific third-party risks and how they can affect you, you need to take inventory of all your third-party vendors. This can require tools that scan your entire network and/or provide asset visibility, but you should also reach out to various heads of your departments to make sure no stone goes unturned. Reaching out to your legal department can help you comprehensively search for all vendors and partners by looking at active and inactive contracts. This will also help you find any expired third-party contracts that may still have some access to your data or network.
2. Prioritize Your Vendors
After you have your list of vendors, organize them from high to low risk and by how business-critical they are. A high-risk, business-critical vendor would be one that, if breached or brought down, would severely impact your ability to do business or put your data (or your customer’s data) at risk. Low-risk vendors may not (or shouldn’t) have access to such sensitive data and wouldn’t significantly impact your BAU if something were to go wrong. This will help inform your next step.
3. Assess Your Vendors
For your most business-critical and high-risk vendors, go over existing contracts and talk to your legal team. Work through various worst-case scenarios and consider these questions.
- If you’re breached, what information (if any) are they required to disclose?
- If so, in what time frame?
- What specific response/mitigation strategies in place?
- Will they work with you as part of your own incident response strategy?
- Are they compliant with the regulations you’re responsible for?
These kinds of questions will help you better understand where your third-party risk lies, whether it’s in the lack of security on behalf of your vendor, a lack of breach disclosure, or whether your vendor isn’t compliant with a regulation you need to adhere to.
You should also see whether there’s any unnecessary risk a third-party may be exposing you to. Do they have access to sensitive data they don’t need in order to perform their function? Or maybe the network integration is unnecessary and you can block access to prevent a bad actor from reaching your servers.
4. Future-Proof Your Vendors
Following the framework above will help you identify any glaring third-party risks that require immediate attention, whether it’s a compliance issue or a business-critical risk that you can’t afford to ignore. As you work with your vendor to either get them up to compliance or find other ways to reduce your risk exposure, you can work on ensuring any new vendors won’t expose you to similar risks.
Here’s where tools, software, additional partners, and vendors can come into play. Prioritize protecting your cloud databases, ensuring you have complete vendor visibility and that any new partnerships or contracts aren’t leaving you exposed. Internally, new processes should be put in place to prevent any vendor from accessing your network without you knowing and approving the partnership. Network segmentation tools and setting a privileged access system in place may prevent a third-party from exposing your data and can also prevent anyone from reaching your network via your third-parties.
TPRM is an Ongoing Effort
If you’re just starting off with third-party risk management, don’t expect to completely solve or have a working framework in just a few weeks or months. This requires a lot of effort and resources and you will have new tasks to take care of that will pop up over time. As long as you’re prioritizing which third-parties (like your cloud-based vendors or infrastructure partners) you’re managing, you’re off to a good start already.
To learn more about which cloud-based vendor is right for you, check out Varonis’ article comparing AWS, Azure, and Google. And if you want to learn more about securing and protecting your data from both internal and external threats, click here to check out Varonis’ data protection solution.