Cookie Settings
Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Other cookies are those that are being identified and have not been classified into any category as yet.

No cookies to display.

6 Steps for Third-Party Cyber Risk Management

leadership team 2024

By Michelle Drolet

Founder & CEO

Michelle is a prominent leader in data security preparedness, renowned for her extensive expertise i

Read More

If you have third-party partners, you need a third-party cyber risk management program. Here are six key steps to follow.

Many organizations transact with hundreds of third-party partners, according to EY’s Global Third-Party Risk Management Survey 2019-2020, a trend that PwC finds shows no sign of slowing, even as the risks increase. A recent survey by security vendor Anchore found that in the past 12 months, 64% of businesses experienced a supply chain attack, and this year supplier attacks are expected to quadruple, according to the European Union Agency for Cybersecurity.

For sophisticated cybercriminals, the supplier ecosystem is an attractive vector to exploit, as an attack on one becomes an attack on many. There are several ways in which cybercriminals can leverage the supply chain, including compromising third party software updates (e.g., SolarWinds), stealing login credentials from third-parties (e.g., Target), or injecting malicious code into vulnerable applications or software (e.g., Magecart).

Third-party breaches can result in severe financial losses, downtime, loss of sensitive information, loss of reputation, breach of compliance, fines, and other legal liabilities. Third-party cyber risk management (TPCRM) is an organized approach of analyzing, controlling, monitoring and mitigating cyber risks associated with third-party vendors, suppliers, and service providers. A well-orchestrated TPCRM program can not only mitigate third-party cyber risks but also boost the ability to on-board, manage, and maintain third-party suppliers.

Here are the six key steps involved in creating a comprehensive TPCRM framework:

1. Identify vendors

If you don’t already have an inventory or a central repository of all your third-party vendors, it’s essential that you create one. Start with those that provide core/critical supplies and then move on to smaller vendors that provide support services. It’s important that every single vendor used by every single department is accounted for because just one, no matter its size, can put the entire organization at risk.

2. Determine risk potential

Classify vendors based on the inherent risk they pose to the organization (i.e., risk that doesn’t take into account existing mitigations). To do this, create a scoping questionnaire that can be completed by the employee who owns the vendor relationship to capture vital information regarding the service being offered, the location and level of data being accessed, stored or processed, and other factors that indicate what kind of security assessment may be needed.

3. Have vendors complete risk questionnaires

Every vendor presents a different level of risk. For example vendors that provide critical services usually have access to sensitive information and therefore pose a larger threat to the organization. This is where a vendor risk questionnaire comes in. You can develop your own or use one of the templates available online. In certain cases your organization may be required to comply with standards like SOC2 Type 2, ISO 27001, NIST SP 800-53, NIST CSF, PCI-DSS, CSA CCM, etc. It’s also important that your questionnaire covers questions related to such frameworks and compliance requirements.

4. Develop a security scorecard

Create a security scorecard or assign a risk rating to vendors based on their level of threat to the organization. You may use the guidelines below to develop a risk rating:

  • High Risk: Deploy corrective actions immediately
  • Medium Risk: Deploy corrective actions within a stipulated time period
  • Low Risk: Accept the risk or create a mitigation plan in the longer term

Remember that high and medium risk vendors are those that handle critical operations or work with sensitive data; low risk vendors do not.

5. Address risks in order of priority

Upon completion of the assessment, management can decide on how they want to respond to each vendor independently. Implementing controls like encryption, multi-factor authentication, endpoint detection and response, security awareness training, etc., can help boost protection and mitigate cyber risks. It’s also important to address these risks by mentioning controls and requirements in your contracts with the vendor so that they understand your expectations clearly and act accordingly.

6. Monitor, optimize, strengthen, and streamline

Third-party risk is always evolving due to changes in services or scope or due to factors like supplier’s financial health, market conditions, or ability to deliver. Continuous monitoring at regular intervals is necessary to keep risks in check, safeguard customer information, meet regulatory requirements, and maintain overall health of the organization. Finally, risk must be monitored throughout the entire vendor lifecycle—from on-boarding to off-boarding.

Remember, TPCRM isn’t simply a security tactic, nor is it simply a compliance requirement, it’s a key cornerstone of a solid security foundation.

 

 

This article was originally posted on CSOOnline >