Skip to main content

How to Identify and Classify High-Risk Third Parties

Posted on October 18th, 2021

Today’s business landscape means having various business partners. From contractors to technology vendors, third parties are now part of everyone’s daily operations. However, with every new third-party you onboard, you also add a new risk. Supply chain attacks compromise your data, even if the third-party isn’t providing you a technology solution. To secure your data, you need to identify and classify high-risk third parties.

Identify third-parties

While this sounds simple at first, it becomes more challenging the deeper you dive. Nearly every department has third-party contracts, and identifying all of them can be challenging.


In today’s gig economy, freelancers fill in skills gaps and help organizations contain costs. However, it might feel difficult to pull together a list of all your company’s current contractors. In order to adequately classify your high-risk third parties, you need visibility across all departments.

While not all contractors pose the same risk, you should have an idea of which ones you need to focus on. This means you need to consider the departments that handle sensitive information. Some examples of departments working with contractors who might manage sensitive data include:

  • Accounting
  • Payroll
  • Human resources
  • Legal
  • IT
  • Marketing

Some areas, like marketing, might not have access to customer information. However, contractors can also have access to sensitive business information, like product and services roadmaps.


In cybersecurity, you’re more likely to immediately think of your technology third-parties when trying to rate risk. Since each department procures the applications it needs, this is another area where getting the right information can be challenging. Even more difficult, users add applications to their devices without official IT permission.

Most likely, you already have a catalog of your major cloud-services providers and Software-as-a-Service (SaaS) applications because the organization needed to budget for these. Some services that would fall into this category include:

  • Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) like AWS, Azure, and Google Cloud Platform (GCP)
  • Enterprise Resource Planning (ERP) like Oracle and SAP
  • Customer Relationship Management (CRM) like Salesforce and Hubspot

However, you also need to consider applications that fall outside of these “big ticket” purchases, including:

  • Task management tools like Asana and Monday
  • Ticketing solutions like Service Now
  • Collaboration platforms like Slack, Microsoft Teams, Google Chat

Identify network, database, and data access

The next thing you need to do is understand who access what resources and how they access them.

For cloud-based technologies, this is often a difficult process. The more applications you add, the larger your digital footprint is. Additionally, if there’s an application or asset that your IT department doesn’t know about or that a user added to their device, you might not realize it accesses data.

At this point, you might want to engage in API discovery to make sure that you identify all the applications accessing your networks. This can help you uncover shadow IT and make sure that you know all the different locations that pose a network access risk.

Assess network, database, and data risk

Once you have a catalog of all the third parties and all digital assets associated with them, you need to consider whether they access sensitive data.

As part of this, you need to identify whether the third parties access any of the following sensitive data types:

  • Names
  • Home addresses
  • Phone numbers
  • Dates of birth
  • Social security numbers/taxpayer ID numbers
  • Bank account information
  • Passport information
  • Email addresses
  • IP addresses
  • Geolocation information
  • Intellectual property

If you segment your networks to secure this data, you should make sure that third parties only have the least amount of access necessary. For example, your marketing contractor shouldn’t have access to a network containing customer payment information.

Additionally, you want to make sure that applications only connect to networks and databases containing the information they need. For example, your CRM doesn’t need access to databases containing payroll information.

Assessing third-party security posture

Once you identify the third parties that interact with sensitive information, you need to assess their security posture. With an increased focus on supply chain attacks, every third-party becomes a potential data breach risk, even contractors that aren’t technology vendors. For example, if a contractor password is compromised, threat actors can use that to gain access to your systems and networks. Once they gain access, they can elevate their privileges and steal data.

When assessing third-party security posture, you should consider whether they:

  • Use a firewall
  • Use a VPN
  • Encrypt data at rest and in-transit
  • Use TLS and SSH certificates to ensure data exchanges are secure
  • Install anti-malware and anti-ransomware on all devices
  • Monitor for DDoS attacks
  • Protect against spoofing of email servers
  • Regularly install security patches for systems, networks, and software
  • Enforce strong password policies

Assigning a risk rating

Now that you have a catalog of all third parties and mapped them to sensitive data, databases, and networks, you can start determining which ones pose the greatest risk to your organization.

When you assign a risk rating, you need to consider the following:

  • How much sensitive information does the third-party access?
  • Does the third-party have privileged access to any systems or data?
  • What would the financial impact be if the third-party experienced a data breach?
  • What would the reputation impact be if the third-party experienced a data breach?
  • What would the compliance and legal costs be if the third-party experienced a data breach?

When looking at third-party technology providers, you need to take some additional considerations into account. For example, many cloud services use service accounts, non-human accounts with privileged access used by operating systems, processes, or service runs.

How SecurityScorecard helps manage high-risk third parties

Mitigating third-party risk is mission-critical for organizations that want to establish a resilient cybersecurity posture. SecurityScorecard’s security ratings platform enables you to continuously monitor and review third-party risk. Our platform passively scans third-party environments and ecosystems, alerting you to potential security vulnerabilities. SecurityScorecard’s security ratings provide at-a-glance visibility into third-party risk using easy-to-read A-F scores.

Return to Blog
Join us in making the world a safer place.