Understanding and managing the risk that third-party service providers or suppliers pose to your operations should be an essential component of any comprehensive cybersecurity risk program. The risk that third-party vendors pose organizations is often not well understood. This leads to organizations exposing themselves to unnecessary risk that is otherwise avoidable.
Third-party entities can pose risks in a variety of ways. From the poor implementation of required security protocols to a lack of in-depth personnel vetting, there are many ways that security vulnerabilities with third-party vendors can translate to a security incident for your organization. Understanding the scope of security risk and cyber risk that you face from third-party providers can help you make calculated organizational and operational decisions that are fully informed. The creation of a third party risk management policy should be a necessary component of your cybersecurity strategy and should be fully backed by senior management.
In this article, we’ll outline some third party risk management best practices that you can use to ensure your risk management policy is headed in the right direction. From the beginning, it’s important to understand that third-party risk management should be an extension of your existing risk management efforts, not simply an afterthought. As will become clear, it isn’t enough from a security or a compliance perspective to simply trust that third-party entities that provide IT services are developing and implementing policies and procedures that are consistent with your requirements. Rather, it is ultimately your responsibility to ensure that third-party entities are maintaining their contractual security obligations.
It is important from the beginning to understand what may constitute a third-party. Within a cyber security context, a third-party vendor is an entity that you share network access or information with. This may include a cloud service provider, payment processing provider, or supply chain partner. Each third-party vendor must be accounted for when you are assessing your third-party risk. If there are gaps in your assessment there will naturally be gaps in your security.
Perform Your Due Diligence
One of the best ways you can manage risk stemming from third-party entities is to ensure that you partner with businesses that take cybersecurity seriously. In order to ensure that the third-party entities you share your network or information with have an adequate cybersecurity presence for your security needs, you’ll have to perform a certain level of due diligence. Businesses that partner with, or outsource to, third-parties must ensure that the third-party’s cybersecurity protocols and security controls are sufficient for their security needs. They must also ensure that the third-party provider understands their security needs and security concerns, and can offer assurances that those needs will be met.
Due diligence can take a variety of forms, many of which come down to the specific security and compliance requirements you are bound by. Ultimately, you’ll have to make the final decision whether the third-party provider poses an acceptable level of risk. An important element in that calculation is to have a full understanding of the company you are doing business with. Taking the time to gain a full-field view of a third-party provider is an essential component to reducing risk.
Security Assessment and Validation
With any third-party entity you allow network access to or share information with, it is advisable to perform a security assessment. If this can’t be done in-house, consider utilizing a third-party security provider to assess the company. The reason for performing a security assessment is simple; you’ll want to assess for yourself what the third-party provider or vendor’s security risks are. It is one thing for a third-party vendor to make claim regarding their security efforts. It is quite another to see for yourself what security vulnerabilities exist for yourself.
Along with performing a security assessment, you should also validate that the third-party vendor you are working with is properly implementing security protocols over time. In today’s threat landscape, it’s not enough to ensure that security protocols are in place during a single moment in time. Regular validation of third-party vendors is an effective way to help reduce the risk for your organization. Determining how long between validations should be determined with your cybersecurity team or the third-party security provider you work with.
Integrate Risk Management Into the Vendor Selection Process
A recurring theme in our risk management best practices is identifying areas of risk and minimizing them early on, or avoiding them entirely. One way that you can minimize risk is by selecting the right third-party vendor from the beginning. Integrating risk management into the vendor selection process is critical to ensure that your entire vendor network poses a manageable level of risk. During the vendor selection process members of your IT and security teams should be involved. Alongside this, cybersecurity risks posed by third-party vendors should be a central component of a comprehensive risk assessment prior to working with a vendor.
By integrating risk management into the selection process for vendors, you ensure that each relationship you enter into is done with a clear understanding of the risks it poses to your operations and security. With the state of risk that companies face today, every potential area of vulnerability must be identified and addressed. It’s also important to know how to build an effective vulnerability management program. This includes every third-party vendor or provider along with all supply-chain suppliers. Given the scope of this for some organizations, it makes sense to integrate cybersecurity risk assessments into the selection process from the outset. Your company will be sure that they are working with providers that understand your security concerns and will implement adequate safeguards to ensure you have an acceptable level of risk.
Clearly Define Areas of Responsibility
One best practice that is sometimes overlooked to the peril of organizations is clearly defining areas of responsibility when it comes to security. This is especially important from a compliance perspective, as some regulatory authorities have specific regulatory requirements for who is responsible for safeguarding sensitive data in a third-party vendor situation. Every relationship with a third-party provider should have clearly spelled out areas of responsibility. There will most often be areas that you are solely responsible for security, areas where the third-party provider will have sole responsibility, and areas where you have overlapping responsibility. Understanding exactly what your areas of responsibility are, and how shared responsibility will be managed, is critical. Equally important, however, is for the third-party entity to fully understand the security requirements they must implement to ensure they meet their security obligations. If they don’t have a clear understanding of what is required of them from the outset, it is much more likely that security lapses may occur.
The most effective way to ensure that each party understands their security obligations is to utilize ironclad contracts. Make sure your contracts spell out in clear language the security requirements that each party will be required to meet. This will position you favorably if there is ever a dispute over areas of sole or overlapping responsibility. More importantly, however, you may have a compliance requirement to create a clear contract that demarcates security responsibilities.
As with all other aspects of managing third-party cybersecurity risk, involving your IT and security departments into the management processes of understanding and outlining areas of cybersecurity responsibility is strongly encouraged. Not only should your personnel be involved, but the third-party vendor’s IT and security staff should also be engaged in the process. Both parties must fully understand where their responsibilities start, end, and overlap. In addition to this, each party must understand what should occur if there is a data breach, and have a response plan in place that is regularly reviewed.
Navigating 3rd party risk management can be tricky. In today’s cyber landscape, the scope of risk facing companies is large and often underestimated. Once you begin peeling back the layers on your third-party vendor relationships and exposing areas where third-party vendors may pose a significant risk to your information or networks, it can be a daunting process to assess, quantify, and minimize that risk. A mistake many companies make is in thinking that the landscape of risk they face is static rather than dynamic. Due to the fact that the threat landscape is constantly shifting, there are always new areas of risk opening up. What this means is that managing third-party risk from a cybersecurity perspective requires an approach that is constantly vigilant.
While there are many ways organizations do this, you’ll want to set up a system for continuous monitoring and reassessment of approved third-party vendors that you work with. This should be a high priority in any organization that carries risk from third-party vendors. Due to the fact that cybersecurity risk is shared risk, your vendors should also be doing this same thing, hopefully to the same degree. The net effect of this is a stronger communal network where areas of risk overlap. If your entire third-party network exercised the same high degree of cybersecurity awareness and monitoring, the risk level of all entities within your network will be lower.
The Importance of Security Expertise
One of the challenges that many companies face is gaining access to a sufficient level of expertise to accurately assess the risk that third-party providers pose to them. Assessing risk from third-party vendors is a complex process, and within a cybersecurity context requires an in-depth understanding of exactly what vulnerabilities may exist and what efforts need to be taken to minimize the risk those vulnerabilities pose. There are also compliance requirements to consider. Your compliance requirements will be a deciding factor in both the third-party vendors you choose to work with and the security protocols that they are required to put in place. Some regulatory structures have strict requirements regarding the nature of a relationship between a business and third-party vendors, particularly in regards to understanding and defining areas of risk.
The problem for many companies is that they don’t have access to security professionals in-house that can help them identify and mitigate the risk posed by third-party vendors. In many cases, it’s not financially viable to operate third-party risk management internally. Although sometimes third-party risk management aligns completely with internal risk management efforts, more often it is an external process that is managed under a different organizational structure. This can present challenges for both security staff and management for getting an accurate understanding of what risks third-party vendors pose and what steps are being taken to minimize those risks. Also, remember that managing third-party risk is an ongoing process, not a one-off event. This means that there is generally a team tasked specifically with identifying and managing third-party risk.
The solution that some companies choose is to work with a third-party security provider that specializes in third-party risk management. It is particularly helpful to acquire these compliance advisory services when there are compliance considerations that must be accounted for. Even ensuring operations internal to your organization are adhering to regulatory compliance requirements can be a daunting process. Assessing whether compliance requirements have been met by a single third-party vendor can be challenging, and given the fact that many companies work with a variety of third-party vendors, providers, and supply chain partners, working with a security assessor that can focus on ensuring third-party risk is minimized and compliance requirements are met can free up resources for other areas.
In today’s world, the level of risk that companies face is staggering. The toll for a harmful cybersecurity event is just as shocking. Due to this, companies must be proactive in their approach to finding a third-party management for a risk assessment and threat and vulnerability management program. Implementing the best practices we have outlined are important components of a comprehensive risk-management approach to cybersecurity, but there are also many others. Working with a third-party security provider that understands this is one step toward ensuring the security of your network assets and information. If you would like to find out more information about how a third-party risk management service can help identify and minimize your risk and provide you the cybersecurity solutions you need, please contact RSI Security today.
- “Understanding the Cybersecurity Threat: The Board’s Role.” In Corporate Governance Advisor, 26:9–17. Aspen Publishers Inc., 2018.
- Preimesberger, Chris. “10 Ways Enterprises Can Limit Third-Party Cyber-Risk.” EWeek, February 8, 2017, 2–2.