The typical company’s technology environment is built on hardware, software and services from hundreds of different third-party providers. These supply chain relationships are essential for operational efficiency, but they also create openings for serious cyberattacks.
Cybercriminals are increasingly exploiting supply chains to distribute malware to mass numbers of victims simultaneously. The recent SolarWinds and Kaseya attacks are prime examples. Hackers planted malware in the software the companies sell, and tens of thousands of their customers became infected when they installed or updated the software.
The federal government’s National Counterintelligence and Security Center recently cited research suggesting that such attacks more than tripled in 2021, affecting nearly two-thirds of U.S. companies. In many cases, the agency reports, foreign adversaries are taking advantage of supply chain vulnerabilities for espionage, sabotage and information theft purposes.
The NCSC encourages organizations to mitigate risk by conducting robust due diligence before contracting with third-party vendors and suppliers. As part of the process, the agency says, organizations should evaluate suppliers’ security practices and incorporate specific security requirements into their contracts.
A New Approach Needed
That may not be enough, however. In a recent Gartner study, more than 80 percent of compliance leaders reported that third-party risks were identified after they conducted initial due diligence and vendor onboarding processes.
Third-party risk management (TPRM) offers a better approach. TPRM programs take a more iterative approach to risk management by following traditional evaluation and onboarding processes with ongoing monitoring throughout the lifecycle of the product or service being provided.
In general, a TPRM program should include the following four phases:
- Develop and maintain lists of approved vendors with solid reputations. Then conduct a screening process to ensure a potential partner can meet your risk, compliance and performance requirements.
- Establish contractual requirements, including service level agreements, breach notification and remediation expectations, cybersecurity insurance and licensing documentation, and procurement and payment information.
- Point-in-time assessments are no longer sufficient to track third-party security efforts. Establish ongoing monitoring processes to continuously evaluate security controls and assess whether vendors are complying with industry and organizational requirements.
- Establish a consistent process for engagement to maintain reporting on compliance efforts, new threats, product performance, maintenance schedules and more.
The challenge for most organizations is finding the time and resources to manage complex relationships with multiple providers who aren’t under their direct control. Nearly half of IT professionals say managing vendor relationships has become a huge administrative challenge requiring weeks or months of effort each year, according to a recent Ivanti survey.
Given the challenges, outsourcing TPRM to a managed services provider (MSP) is becoming an attractive option for organizations of all sizes. More than 40 percent of companies surveyed recently by Ernst & Young said they expect to adopt a managed services approach to TPRM over the next three years.
Benefits of the managed services approach include:
- On-demand expertise
- Established processes and methodologies
- Access to cloud analytics, automation and other leading-edge technologies
- Improved visibility into the vendor portfolio
- Better risk mitigation strategies
- Improved regulatory compliance
- Reduced costs
Companies today are increasingly reliant on third-party partners to help them address complex technology needs. According to Gartner, 71 percent of organizations report that their network of third-party vendors and suppliers has grown over the past three years. However, those third-party relationships can also open up the risk of supply chain attacks and other cybersecurity threats.
Third-party risk management programs can mitigate risk by establishing a formalized method for assessing, onboarding and monitoring partners. Contact Technologent to learn how to quickly gain those benefits through our TPRM program.