Your Vendors Are a Risk, Here is What You Can Do
It is likely your organization relies on third parties to sustain day-to-day business operations; two-thirds of companies do. But how secure is your supply chain? Organizations rely on third parties for any number of functions in the supply chain, many of which pertain to sensitive data or critical business processes. As a result, third parties frequently create access points into your network and attackers have realized that it is often easier to gain access to your network through third parties who may have weaker defenses and exploit it to their advantage.
Third parties are often an insider, working inside your company, by default, with access levels equal to or greater than internal employees, depending on their function. The strength of the controls your organization implements to defend against a data breach is only part of the battle because your vendors also present a significant risk if not properly vetted. Any size organization may suffer a breach.
As organizations are developing their own security programs, many seem to have lost sight of an important fact: any and all access points into an organization’s network should be evaluated as a potential risk.
What can my organization do for TPRM?
Communicate with all stakeholders
It is vital to take a holistic approach to manage your organization’s IT security; where a lot of organizations fail is communication, particularly in managing third parties. Security personnel should not only be involved in contract discussions but throughout the entire vendor acquisition process. By establishing a process that accounts for both business needs and risk, third-party management becomes more efficient and it begins with executive support and communication between the stakeholders.
Establish a program
In some industries, such as healthcare and financial services, third-party risk is driven by regulatory requirements. Regardless of your industry, if you care about protecting your data, you need to establish a system to monitor your vendors. By establishing a program comprised of both line of business and IT security personnel, your organization can create roles and responsibilities and develop a framework to assess third parties. “One size” does not fit for all organizations that work with vendors of varying functions and criticality; therefore, it is important to create an adaptable framework that meets your business needs.
Understand your relationships
Do you know who has your data and where it is stored? Do you have third parties that also have vendors (these vendors are the fourth party to you) who may share your data? According to PwC, 69% of enterprises do not have an inventory of where their data resides.[viii] Creating an inventory may be a task, but it’s worthwhile. Additionally, your organization should establish a register or a profile of all vendors and have a strong understanding of the relationship including what data, if any, they process. This is where effective communication between IT security personnel and the respective business unit becomes so vital. Since business personnel generally work with the suppliers, they must be able to provide an in-depth register/profile of the relationship with the supplier to assess criticality and allow security to effectively apply controls.
Assess your third parties
An effective program will attribute criticality to suppliers based on risk. Many organizations use this as the basis for a tier assessment system to accurately apply security controls to third parties. In many cases, the assessment is a questionnaire, but more critical suppliers necessitate a “trust but verify” approach, whether it be via remote presentation or onsite assessment, to ensure the proper controls are in place. Document the issues and follow through afterward; you may not be able to force remediation of all issues, but there is substantial value in creating a comprehensive supplier register/profile to evaluate and track risk.
Establish timelines for re-assessment based on criticality going forward, in addition, to establish checks between assessments to ensure that controls are implemented properly.
The damage from a third-party breach is greater than a direct breach, increasing the cost per record; not to mention collateral brand reputation and business costs. A marked increase in third-party breaches in an increasingly connected world means, as an organization, you cannot afford to ignore third parties in your organizational information security program.