Organizations across all industry verticals are increasingly dependent on third-party vendors for a variety of technology solutions and services necessary to support distributed operations. While these relationships can improve business operations in many ways, they also introduce significant risks.
Enterprise organizations commonly have thousands of third-party arrangements for hosted applications, cloud computing, data analytics, collaboration and communication, supply chain management, and more. Malicious actors target these third-party relationships because it allows them to compromise multiple victims in one fell swoop. In the notorious SolarWinds attack, for example, malware planted in the company’s IT monitoring software infected thousands of its customers when they installed or updated the software.
The Ponemon Institute estimates that more than 80 percent of organizations have experienced a cybersecurity incident caused by a third party — although the firm says these incidents are likely underreported. To stem the tide of such incidents, organizations must do more to improve their third-party risk management (TPRM) capabilities.
Identifying Hidden Risks
TPRM is a process for identifying, assessing and mitigating risks associated with the use of services from vendors, suppliers, contractors, business partners and other external parties. It involves evaluating the potential risks and taking appropriate measures to ensure that third-party relationships do not pose significant threats to the organization’s operations, data security, regulatory compliance, reputation or overall resilience.
In a new study from Compliance Week and FTI Consulting, nearly two-thirds of senior executives said improving TPRM is their top compliance priority for 2023. Here are some of the important components of an effective risk management strategy:
- Due diligence. Thoroughly evaluate all prospective and existing third parties to gather information about their security policies, procedures and track record. This can include conducting site visits, requesting security audits, reviewing certifications and evaluating their security controls and regulatory compliance practices.
- Contractual agreements. Contracts should clearly outline the roles, responsibilities and expectations of both parties regarding risk management. They should include clauses related to data protection, security requirements, liability, breach notification and termination conditions.
- Ongoing monitoring. After engaging with providers, it is critical to continue monitoring their performance and compliance efforts to ensure they are meeting the agreed-upon standards. This can involve network scanning, intrusion detection systems, log analysis and continuous security monitoring software.
- Risk mapping. Your third-party partners have their own third-party partners, and their risks become your risks. Create a comprehensive map to understand and visualize the interconnected network of vendors and suppliers with access to your critical systems and resources.
- Incident response. Develop a set of coordinated actions to minimize the impact of third-party security breach. The response plan should establish communication protocols that ensure partners provide timely notification in the event of an incident. The plan should also establish a response and containment strategy for mitigating the incident.
- Contingency planning. Contracts should outline the third party’s responsibility for continuation of service in the event of a security incident. Contingency plans should detail the provider’s backup strategies, disaster recovery and business continuity plans that minimize potential disruptions or risks.
Even with these processes in place, TPRM will still be challenging due to an inherent lack of control over the security processes and practices employed by third-party partners. It is particularly daunting when dealing with a large number of vendors or suppliers across various business functions or geographical locations. In many cases, it may make sense to turn things over to another third-party — an IT solutions provider. Technologent, for example, has an established track record of helping customers implement robust risk management practices. Contact us to learn more.
July 5, 2023