In today's interconnected economy, companies rely on third-parties. It's increasingly common to outsource large parts of your business to dedicate vendors who specialise in that function, whether that be via a SaaS vendor, third-party service provider, or contractor.
These third parties aren't typically under your organisation's control and its unlikely that they provide complete transparency into their information security controls. Some vendors can have robust security standards and good risk management practices, while others may not.
This means they each vendor, whether directly or indirectly, impacts your cybersecurity. This is why third-party risk management and vendor risk management form an important part of any organisation's enterprise risk management strategy.
1. Assess your vendors for before on-boarding
On-boarding third-party vendors who will have access to your network and sensitive data without measuring the cybersecurity risk they introduce is risky. Yet, too many organisations fail to perform adequate due diligence during the vendor selection process.
An easy way to assess a potential vendor without introducing operational overhead for your vendor management team is to use security ratings. Security ratings have been widely adopted because they supplement and can sometimes replace time-consuming vendor risk assessment techniques like questionnaires, on-site visits, and penetration tests.
Security ratings let you instantly understand the external security posture of a potential vendor and what cyber threats they may be susceptible to. This greatly reduces the operational burden on TPRM teams during vendor selection, due diligence, on-boarding, and monitoring. Additionally, the reports can be shared with vendors and used to remediation issues.
Because UpGuard measures externally verifiable controls, this pre-assessment can be done without requiring consent or work from a vendor. You can even benchmark and compare a vendor against their peers and others in their sector to help you make an informed decision about which vendor you should select.
The result is a more accurate, real-time picture of the risk the vendor will introduce to your supply chain, without having to spend time completing costly risk assessments, penetration tests, or vulnerability scans.
2. Incorporate risk management into your contracts
Make a practice of incorporating cyber risk into your vendor risk management program and vendor contracts. While this won't prevent a third-party data breach, it means your vendors will be held accountable should their security posture weaken.
Many of our customers incorporate security ratings into their contracts. For example, some stipulate that a vendor who processes personal information or credit cards must maintain a security rating above 900, or risk having their contract terminated.
We also recommend incorporating SLAs into your contracts so you can steer the cybersecurity risk management behavior of your vendors. Consider adding language that requires your vendors to communicate or even remediate any security issues within a certain time frame, such as 72 hours for high-risk issues. Additionally, consider adding the right to request a completed security questionnaire once per quarter as they can highlight issues that are missed by external security scanning.
3. Keep an inventory of your in-use vendors
Before you can adequately determine the risk your third-party vendors introduce, you need to understand who all your third-parties are, and how much is being shared with each of them.
Without an inventory of your third-party relationships, it's impossible to measure the level of risk vendors introduce. Despite this, only 46% of organisations perform cybersecurity risk assessments on vendors who handle sensitive data.
As simple as this sounds, it's not always easy to know all the vendors used by your organization. Especially if you work at a large organization.
This is where tools like UpGuard Vendor Risk can help. We can help you find and monitor your vendors using our instant vendor search. Our platform scans and scores millions of companies every day to give you instant access to vendor security ratings. If we don't currently monitor the company, you can easily add it to your monitored vendor list and we'll start scanning it from the moment you add it.
4. Continuously monitor vendors for security risks
A vendor's security posture can, and will, change over the course of your contract. That's why it's critical for you to continuously monitor their security controls over time.
The trouble is, most organisations don't continuously monitor their vendors. Instead, they rely on point-in-time assessments, such as audits or security questionnaires, which are typically only a snapshot of an organisation's security posture.
There is definitely a place for these types of assessments as they highlight issues that are often missed by external scanning solutions, that's why UpGuard Vendor Risk has tools to help you automate security questionnaires.
However, they are not well placed as a continuous security monitoring solution.
5. Collaborate with your vendors
While you can never fully prevent third-party unauthorised access, cyber-attacks, and security breaches, it's important to work collaboratively, not combative, with vendors to reduce risk and fix security issues quickly.
There are several UpGuard Vendor Risk features that support this process.
For example, you can use our Portfolio Risk Profile to prioritise the most critical risks across your vendor ecosystem and request remediation through our platform to ensure risks are resolved quickly and with an audit trail. This facilitates outreach and allows you and your vendor to understand what needs to be fixed and why it poses a risk to end-users and personal data.
6. Talk about third-party risk
The highest-performing organisations (those who have been able to avoid a breach in the last year and those with mature risk management programs) have engaged leadership.
According to the Ponemon Insitute's Data Risk in the Third-Party Ecosystem report, 53 percent of respondents within high-performing organisations said they have board and executive-level engagement, compared to just 25 percent of respondents among organisations that have experienced a third-party data breach.
This engagement means that the leadership at the highest performers are aware of the importance of protecting confidential information, as well as increasingly stringent privacy practices driven by the introduction of general data protection regulation around the world, such as GDPR, LGPD, CCPA, FIPA, PIPEDA, and the SHIELD Act.
This is why UpGuard Vendor Risk has in-built executive reporting, which includes:
- The average score of our vendors over time
- The distribution of your vendor scores
- Your highest and lowest scoring vendors
- The technologies most commonly used by your vendors
7. Cut ties with bad vendors
If a small business or third-party vendor is unable to meet your standards, or if they've suffered from a ransomware attack or data breach, are you willing to cut ties? And if you are willing to, do you have the processes in place to successfully off-board the vendor without causing business continuity issues?
Lots of companies are good at on-boarding vendors, but struggle to properly off-board them. The most secure organisations care about the details and understand that proper off-boarding is an important part of third-party risk management.
8. Measure fourth-party risk
As important as it is to understand your third-party risk, it's also important to know who your third-parties rely on. These organisations are known as your fourth-party vendors and they introduce fourth-party risk.
Just as organisations are quickly adopting multi-factor authentication, we see our best customers contractually requiring vendors to notify them when they share data with a fourth or fifth party. This allows them to track sensitive information sharing and better understand who has access.
UpGuard Vendor Risk's Concentration Risk module automatically detects your many of your fourth-parties and shows you which fourth-party vendor you have the most exposure to. This can help you plan for business continuity too. For example, if you know that 30 of your critical vendors rely on AWS, you may opt to chose other vendors who use Google Cloud Platform to spread out the risk that an outage at one of these cloud providers would result in you being unable to conduct business as usual.
9. Follow the principle of least privilege
Many third-party data breaches occur because the third-party is provided with more access than they need to do their job.
Consider investing in a robust role-based access control system that follows the principle of least privilege (POLP), the practice of limiting access rights for users, accounts, and computing processes to only those needed to do the job at hand.