In today’s world, where we rely more and more on third parties and vendors for our business activities and needs, we are more vulnerable than ever. We can build a successful cyber risk management program for ourselves internally but our assets, ongoing business activity and reputation are all still reliant upon the security measures of other 3rd party vendors over which we seemingly have no control or influence.
The popular trend and buzzwords we keep hearing in the market are “third party risk management” but what does that actually mean? What can we do to really protect our organization from third-party security risk? How can we gather true and accurate information about our suppliers and vendors to really measure what risk they pose to our organization? To what extent can we enforce and track the various measures that we adopt with those same third parties? And how do we make decisions around the risk we are willing to accept, while denying vendors who pose too high of a risk to us?
What is Third-Party Risk?
Let’s start by understanding what risk these third parties pose to us. Obviously, third parties were not all created equal. Some vendors and suppliers that we engage with, even on a daily basis, might not pose a huge threat to us, while other high-risk third parties could potentially cause catastrophic damage to us if breached. Imagine, for example, your office materials supplier. You order your paper, pens, printing needs, etc on a monthly basis, and you provide them with your credit card information. They don’t have access to any of your sensitive business information, so even if they were breached, the potential damage to your organization is minimal. Therefore, they would be classified as a low-impact vendor.
Take, however, your domain provider. If they were breached, you could lose your website and maybe even access to emails, which for most companies, would create more damage than your office materials supplier. So that might be a medium or even high impact vendor. And then think about your LastPass account – if that were to be breached, all of the accounts that you were storing there would be compromised. Or what if your database that contains PII and PHI were to be hacked, the loss you would potentially experience would be enormous.
Each of these vendors and suppliers would definitely need to be handled differently and scrutinized more carefully than your office materials supplier.
So the first step of a good 3rd party cyber risk program is to identify the impact level of each of your vendors and suppliers.
The next question to explore is, once we know that a vendor poses a significant threat to our organization, how can we practically protect ourselves from that risk? An effective cyber risk program needs to have a process to identify what third party regulatory compliance requirements we need our 3rd parties to have in place and what security measures we need them to meet in order to mitigate their inherent risk, which will most likely differ based on the impact level that we’ve determined for each vendor. Once these are determined, we can review and evaluate what risk is left unmitigated and whether or not we are willing to accept that risk for our organization, taking into account the potential impact for each vendor.
How do we gather the necessary information for the purpose of this evaluation?
This is a question that many risk executives and security software solutions have asked themselves. On the one hand, a large portion of the information necessary to make these evaluations comes from the vendors themselves, but we need to ask, can we trust the information that the vendor provides us with? Do we know it to be accurate and enforced within the vendors’ environment?
The two ways to address this inherent conflict are to: (a) collect the information in a manner that can be tracked and traced back to the vendor and stakeholder providing a clear audit trail, and (b) we cannot solely rely on the information that the vendor provides, but to also need to gather any information that we can from available sources on the vendor’s vulnerabilities and breaches which can attest to security measures in place, and alert us to any real threat that could impact us via the way in which we interact with the specific vendor.
Once we have the information about our vendors’ risk management security controls, how can we use this to make informed decisions which third parties to approve? And how can we, effectively and over time, ensure that these vendors are maintaining the requirements that we set out for them?
Once we’ve determined for ourselves what security measures we require from each impact category of vendor, we need to communicate those requirements to our vendors. If we only have a few vendors, we can probably do this simply, with Excel or another similar tool. But once you have a larger number of vendors (which most organizations do), assessing and quantifying the risk they pose, and communicating your ongoing requirements to them will become extremely difficult and complicated.
Using one dedicated solution to onboard, assess and manage vendors over time is critical for any organization that has more than a handful of vendors, especially a solution that can also provide additional information about the security controls, the vendors themselves, and any breaches or vulnerabilities that they have. Once we have all of our vendor risk information in one place, we can now easily review their cyber risk controls, vulnerabilities and threats and determine the risk they pose to us.
If the risk is too high, we can quickly communicate to them what they need to do in order to be approved, or alternatively, choose not to work with them if they are unwilling to lower that risk. This clear communication and visibility for both the organization and the third parties is crucial for ensuring that everyone is on the same page. Keeping this live and ongoing risk management approach with our vendors means that everyone takes it seriously and does what is necessary to ensure that all of our requirements are met.
Third party risk is our risk, and we need to do everything we can to manage it effectively.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days