Getting Started with Third-Party Vendor Cybersecurity Risk Management
Doing business today takes a village. No matter the size of your organization, you can’t do it alone—nor should you. Working with other companies, from parts suppliers or outsourced legal teams to software providers, often adds great value for your organization. These important third-party relationships also come with cybersecurity risk: Any time you share data with an external party, you lose some control over what happens to it. Depending on the third-party relationship, this can involve sensitive data, including client or employee personal details, confidential business information, and company financials—certainly not information you want to fall into the hands of a cyberattacker.
With this in mind, how can you mitigate some of the risk that comes with third-party vendor relationships? This article covers the basics of assessing, reducing, and managing third-party cybersecurity risk at your organization.
Want to dive deeper? Take a look… Small Business’ Guide to Mitigating Third-Party Risk.
Managing Third-Party Cybersecurity Risk
From Canon to SolarWinds, third-party data breaches have been making news recently. Most nationwide headlines involve large, enterprise companies, but small businesses and organizations are just as vulnerable. When Tyler Technologies, a software provider that services many local government agencies and small public-sector organizations, took their systems offline due to a ransomware attack, many local government organizations experienced system outages, including utility payment and local court services.
In a complex cybersecurity threat landscape, a data breach of a third-party vendor can impact your business in several ways:
- Businesses often share large amounts of sensitive data with third-party vendors as a necessity of working together. When they fall victim to a cyberattack, any data you share with them could be breached, misused, or stolen.
- If your business is subject to compliance regulations like PCI, HIPAA, and GPDR, you may even be held legally and financially accountable for breaches caused by a third-party supplier.
- In the case that a third-party vendor experiences a security incident, they may pause operations—either because they cannot access their data, or to give them time to assess and respond to the attack. This is a major concern for businesses who rely on third-party providers to keep their company running, as downtime can result in lost business, delays, and rippling impact throughout the supply chain.
Third-party relationships are on the rise: According to Gartner, 71% of organizations use more third parties than they did three years ago, and the same percentage reports that their third-party network will continue to grow in the next three years. For this increased reliance on third parties to be successful, data protection needs to be a two-way street between businesses and their vendors as the world continues to progress through the digital transformation.
As a small business, the most important step you can take is to formalize a process for managing third-party risk at your organization. This means implementing an intentional plan to identify, assess, document, and protect against the potential threats that your vendors face.
Here’s how to get started.
1. Create a Standardized Approach to Assessing Third-Party Vendors
Effective third-party risk management begins with a standardized, comprehensive approach. Work with key stakeholders at your organization to set expectations, define ownership, and apply a consistent, documented process, both for existing third parties and during the selection process for a new vendor. The time invested up front makes subsequent work easier when new partners come on board.
Key steps to include in your approach include:
- Identify Third Parties: Inventory and document all third-party vendors and service providers with whom your organization works, and keep the list regularly updated as you hire new vendors. Be sure to consider all external companies with whom you do business—if they provide a good or service, they should be on your list. Common categories of third-party vendors include:
- Contractors and consultants
- Agencies and business services
- Manufacturers and suppliers
- Technology and software providers
- Catalog Security Risks: For each third-party vendor, list the potential risks you will face working with them, including financial, information security, reputational, and compliance risk, and determine your organization’s risk threshold.
- Establish an Internal Team: Decide who in your organization is responsible for managing each third-party relationship, communicate the expectations for managing security risk and best practices, and establish an oversight team.
- Document, Communicate, and Enforce Requirements: Vendors can’t meet your security requirements if they don’t know what they are. Determine your standards, track them, and communicate them to third-party vendors proactively.
2. Assess Third Parties’ Security Controls
Once you have a standardized approach in place, focus on assessing third-party relationships thoroughly—both existing relationships and in the vetting process for a new vendor. Your review should cover the following:
- Vendor History and Reputation: Do your research and due diligence on the vendor. Check review sites, customer testimonials, business listings, and any news stories. Consider how long the third-party company has been doing business, their history, and any previous cybersecurity, legal, or financial issues. Create a checklist, flag any issues, and discuss internally and with the vendor to determine the potential risk.
- Information Accessed: You may not even realize how much data you share with third parties—which is why it’s so important to make a detailed list. What data does the third-party vendor use when working with you? What access do they have? If they access sensitive data such as customer and client information or company financial records, apply additional scrutiny during the selection and review process.
- Cybersecurity Policies and Practices: Ask the vendor about their cybersecurity controls in place, including People, Processes, and Technology. Do they train their team on security and conduct regular employee background checks? Do they have strong cybersecurity policies and protections that align with key cybersecurity frameworks and standards? How do they audit and test their cybersecurity technology and processes?
A good way to look at the assessment process is to treat third parties as if they are your company. Holding them to the same standards that you apply internally helps ensure that your data is protected the way you would protect it.
3. Use Proper Access Management Standards
74% of organizations who experienced a third-party security breach within the last year report that the breach occurred because the third party was given too much privileged access. Limiting access to data is an important and proactive step you can take to protect your organization in the case that a third-party vendor does experience a breach.
Use the same processes, procedures, and technology that you use internally to monitor and limit access. Just as you wouldn’t provide someone on your sales team with administrator access to the network, don’t provide access—especially to sensitive data—that a third-party vendor doesn’t need to perform their job. A vendor can always request more access if they truly need it, but a conservative approach to sharing and data helps contain the potential damage.
Don’t forget to consider access removal: When you stop doing business with a vendor, follow your standard offboarding procedures to be sure all access is revoked.
4. Continuously Monitor Third Party Cybersecurity Procedures
After the initial vetting process for a third-party vendor, employing continuous monitoring and management is crucial in managing risk.
The internal owner of each vendor relationship should conduct regular check-ins to discuss their evolving cybersecurity procedures and requirements. It’s also recommended to conduct a full security review and audit every six months to a year, following the same assessment standards you set in Step 2.
If security concerns arise at any point, work with the vendor to develop a plan for improvement with mutual accountability. Remember, investing this time and resources helps ensure your partnerships continue to uphold your high standards for security and business practices.
Don’t Forget: You’re a Third-Party Vendor, Too
If your organization works with or provides services to other businesses, your customers likely consider you to be a third-party vendor and may come to you with cybersecurity requirements of their own.
Be proactive: Make comprehensive cybersecurity protection a priority at your organization, and put controls in place to ensure that your People, Processes, and Technology are secure. Communicate your security practices clearly to your customers, and let them know what you have in place to limit exposure and mitigate risk, such as working with a cybersecurity partner, technology such as co-managed SIEM, or engagement with Security Operations Center (SOC) experts that provide around-the-clock protection, detection, and response to cyber threats. By working closely with both your vendors and your clients, you can do your part to strengthen cybersecurity practices throughout the supply chain.
For more on third-party risk management, download our Small Business’ Guide to Mitigating Third-Party Risk.
Need help with third-party risk management? Contact us.