Impactful, efficient third party vendor risk management comes down to five critical steps:
- Cataloging all third party assets that come into contact with your systems
- Scanning for vulnerabilities or weaknesses across all third party assets
- Monitoring for internal and external threats to all third party assets
- Accounting for regulatory requirements applicable to third parties
- Prioritizing and mitigating threats and vulnerabilities identified
Step #1: Identify Third Party Devices, Systems, and Users
All elements of third party risk management (TPRM), including assessments, depend on accurate scoping. To understand what risks are posed across your third party assets, you’ll need to identify what those assets are. That means creating a third party asset catalog.
This process begins with identifying all devices and other hardware that belong to, are operated by, or otherwise fall under the responsibility of third parties—computers, phones, etc. Next, you’ll need to round up all third party software that comes into contact with your organization. That includes programs, apps, and websites that employees use for work purposes but that are managed by stakeholders outside of your organization (i.e., by developers and vendors).
You’ll also want to account for third party individuals—users, accounts, and associated assets—that come into contact with your system. That includes their activity and awareness.
Step #2: Scan for Vulnerabilities on Third Party Assets
Once you have a comprehensive, dynamic list of third party assets, you can begin to scan for risk factors on them. Your vendor risk assessment will begin with identifying potential weaknesses across third party assets, which are known as vulnerabilities. These may include:
- Missing or outdated protections across third party hardware and software
- Third party devices connecting to unknown or unsecured networks
- Lapses in visibility or control over third party users’ access and activity
- Third party devices’ incompatibility with organizational firewalls, etc.
- Gaps in assurance of third party users’ security awareness and training
Any of these weaknesses is a potential target for cybercrime. They can exist on internal assets as well, but they are especially dangerous on third party assets. There is a multiplicative effect at play, as lacking oversight makes vulnerabilities (and related incidents) harder to detect.
Step #3: Monitor for Threats on Third Party Assets
Vulnerabilities are dangerous in so far as they can be exploited by threat actors—attackers and cybercriminals—to compromise your data. Threat vectors, or the means attackers use to exploit your systems, pose threats to both internal and third party assets. But, as with vulnerabilities, it can be much harder to appreciate the full extent of third party threats than internal-only ones.
Some of the most impactful threats for third party assets specifically are ones that leverage connections and points of intersection between your organization and your strategic partners.
For example, consider a phishing scheme that targets lower-level staff within your partner organization or individuals and small businesses that interact with your teams on a sporadic, adjunct basis. Attackers could leverage their relatively low level of knowledge about your organization’s makeup in targeted phishing schemes. In so doing, they could elicit sensitive information that compromises the security of both you and your third party—and your clients.
That’s one of the reasons supplier risk assessment is so essential to organizational threat and vulnerability management. You need to actively scan for potential attackers and attack vectors that can take advantage of vulnerabilities specific to your shared IT and security landscape.
Step #4: Account for Regulatory Requirements
An additional risk factor tangentially related to threats and vulnerabilities is the possibility of regulatory violations. If your organization operates in a regulated industry or collects data from individuals protected by local laws—or if this is true of your strategic partners—you may be subject to compliance requirements. As with the above considerations, you may bear the responsibility for securing third party assets that come into contact with your systems.
Some regulations explicitly codify rules about third party assets. For example, the Health Insurance Portability and Accountability Act (HIPAA) applies to both covered entities in and adjacent to healthcare and their business associates. HIPAA compliance needs to be assured across vendors, contractors, and other third parties by way of business associate contracts.
In practice, lapses in security or privacy protections by your personnel or by third parties within your systems could lead to costly non-compliance penalties—for you and/or your partners. A comprehensive third party vendor risk management program needs to account for compliance.
Step #5: Prioritize and Mitigate Risks Accordingly
The purpose of vendor security assessment isn’t just to identify potential threats, vulnerabilities, and other risk factors. It’s to use them to calculate risk values for ranking and prioritization.
In cybersecurity, risk is an expression of the relationship between two values:
- How likely (%) an incident is to occur, which is related to the severity of vulnerabilities
- How much harm ($) would happen if an incident occurs, which is tied to specific threats
Assigning a value for each third party risk based on the likelihood and potential cost empowers you to allocate resources to their mitigation. On one hand, third party risks with high potential costs and high likelihoods should come first. On the other, any risks with relatively low costs or likelihoods can be saved for later. Or, your risk calculations might suggest that an alternative solution, such as swapping party assets or taking them offline, might be better in the short term.
Optimize Your Third Party Risk Assessment Today
Rethinking your TPRM starts with effective risk assessments: cataloging in-scope assets, scanning for vulnerabilities and threats, accounting for compliance, and acting on your results.
RSI Security has helped countless organizations assess and manage risk across internal and shared assets. We’re committed to helping organizations like yours find and address risks. We know discipline on this front will unlock freedom for all parties involved.
To learn more about our third party risk assessment services, contact RSI Security today!