Enterprises rely heavily on third-party vendors for faster time to market, improved profitability and reduced costs. However, third-party partnerships come with varying risks, including financial, information security, reputational and regulatory risks. If a business outsources important functions to third parties or uses them in its data handling or network chain, the risks are compounded by those parties’ weaknesses.
According to Opus & Ponemon Institute’s 2017 Third Party Data Risk study, 56 percent of organizations experienced a data breach through a third party, and 42 percent of organizations experienced attacks against third-party vendors that resulted in the misuse of their firm’s confidential or sensitive information. The reality is that no matter how good the reputation or credibility of your third-party vendor is, security risks will never completely go away.
It is under such circumstances that we see the emerging need for third-party risk management. And there’s also a business case for doing so: proactive mitigation of third-party risks is a mainstay of good cost management and operational health.
4 Best Practices for Managing Third-Party Risks
Here’s what you can do to leverage the capabilities of third-party vendors and simultaneously protect your data, systems, and network.
1. Plan for a Swift Exit Strategy
Any third-party relationships should begin with a transition plan, an exit strategy or a prenup – whatever you call it; it’s best to start by planning for the end which, in the case of vendor-related partnerships, can occur at any point in time. Whether due to an unexpected breach, contract completion, abandonment of a promised service or turning over duties to a fourth party, termination of a contract is inevitable. The deeper the vendor is layered in and utilizes the confidential information of an organization and its customers, the more challenging it will become to disentangle. A preplanned exit strategy is therefore essential.
As a best practice, organizations should clean up the access environment as soon as a contract is terminated. Merely restricting network access isn’t enough: set up an automated system in place that ends all access just like it would for an employee. Also, it’d be smart to capture the nature and length of a contract during onboarding so that access to internal systems, data and technologies expires automatically. Organizations with a more advanced third-party monitoring program can “map out” what the impact would be of a particular termination. Accordingly, they can pivot through granted access to detach high-risk third parties from their most important data.
2. Conduct Screening and Due Diligence of the Entire Lifecycle
An effective screening and due diligence strategy can help you gain a better understanding of third parties, as well as help you pick the right vendors to work with. Develop your strategy to ensure you address the entire lifecycle – from choice to onboarding, to management to long-term partnerships – along with the third party’s country of operation, existing location and other key factors. For example, onboarding processes should capture complete information along with the necessary contracts, documents and certifications.
Additionally, continuous monitoring can help you make informed decisions about third-party companies. Many enterprises leverage data screening providers to receive data feeds and real-time alerts on third parties. This helps them screen potential partners against international sanctions lists, as well as watch lists, law enforcement and adverse news reports. The process can also help you determine if third parties actually offer services and technologies, or if they are in fact subcontracted to another organization (a fourth party).
3. Validate That the Cybersecurity Posture of the Third Party Is Better Than or Equal to Yours
Most enterprises initiate their third-party evaluation process by analyzing compliance reports from governing bodies such as SOC2, NIST or ISO. The reports provide organizations with an overview of the third party’s existing information security posture. The issue is, they’re often unactionable and unverifiable – which goes against the standard third-party risk management principles. What’s more, they’re prone to human error, misinterpretation and fallibility, so they can eat away at security from both ends.
Therefore, many firms are switching to publicly-observable metrics. These are capable of analyzing and verifying a third-party’s technical systems. Typically, they’re mapped to public IPs. Indicators like a vendor’s IP address base redirecting traffic from malicious websites or poor configurations are signs that their security posture might not be up to the par.
With the help of solutions like QuadMetrics and SecurityScorecard, you can quickly review your third-party vendors without requesting anything from them. Solutions like these undertake a rigorous data collection process and make it as convenient as logging into a dashboard and analyzing a security rating.
Ethical Hacking Training – Resources (InfoSec)
4. Augment Examination of Inherent Third-Party Risks With Questionnaires
Inherent risks refer to the risks related to offering a service or product irrespective of the mitigating factors or controls a vendor may have in place. These are typically evaluated with risk assessments to identify where each offer falls on the vendor risk spectrum of an organization. Their data often includes a summary of critical risk factors, relevant regulations and access methods, as well as an operational, financial and reputational influence (e.g. GDPR, PCI DSS, HIPAA). However, subjective risk assessments are resource-intensive, requiring effort, money and time to conduct evaluations.
That leaves questionnaires to get the job done. Proper planning is vital to ensure that you list the right questions, and in such a way that produces the most value for your efforts.
Because third parties are part of core business processes, they should be asked direct questions. Below are some examples that could be listed as key questions.
- What types of data does your business create?
- How do you handle data in case a contract is terminated?
- Do you outsource any of your operations?
- Where is the data stored?
- What does a data breach look like for your company?
By asking the right questions and using the same template to pre-populate data for the remaining vendors, you’re developing a standardized structure that can be applied to all external vendors, whether onboarded or under review.
By conducting due diligence of the entire lifecycle, automating certain aspects of your risk aversion strategy and leveraging third-party assessments, you’re not far from devising a mature third-party risk management program that can efficiently evaluate any new vendor as they come in. A little extra work and care can succeed in keeping your enterprise much more secure.