Posted on Jan 27, 2020
When you’re managing your cyber risk, you’re not just managing the risk that comes from within your organization. You need to worry about your third parties as well.
Third parties like service providers can be a worrying source of risk. They often have access to sensitive information, you don’t control their cybersecurity, and if they’re involved in a breach, they often drive up the cost. According to Ponemon’s 2019 Cost of a Data Breach report, third-party breaches cost more than $370,000 more than in-house breaches.
Many organizations aren’t prepared for third party breaches, however – Protiviti’s 2019 Vendor Risk Management Benchmark Study found that only 4 in 10 organizations have a fully mature vendor risk management process in place.
This is why it’s critical to do your due diligence when it comes to service providers, who are some of the most important third parties in your organization’s extended enterprise.
First, however, what exactly is a service provider, and how do they differ from other third parties, like vendors?
Like vendors, service providers are third parties in your businesses’ extended enterprises. While there may be some overlap between your vendors and your service providers (and in some cases, organizations use the terms interchangeably) there is one big difference between the two: vendors sell a product while service providers sell a service.
Take the FDIC’s definition of service providers, for example. According to the FDIC, a service provider can provide “…core processing; information and transaction processing and settlement activities that support banking functions such as lending, deposit-taking, funds transfer, fiduciary, or trading activities; Internet-related services; security monitoring; systems development and maintenance; aggregation services; digital certification services, and call centers.”
The above offerings are often core functions of an organization, and that means that many service providers have access to sensitive data, like customer information and other financial data. Because of this, it’s critical that you perform your due diligence before entering into a relationship with any service provider.
Take inventory of your service providers:
__ List the providers of major core functions
__ Catalogue any smaller providers who might be working with individual departments
Collect information on each service provider including:
__ A business charter or articles of incorporation (or similar corporate charter)
__ Business license
__ Business location, and proof of location.
__ Overview of company structure
__ Information about executives and board members
__ Financial information
Information about general risk:
__ Is the service provider on any watch lists?
__ Is the company or any key personnel the target of major lawsuits?
__ Is there negative news coverage of the service provider?
__ Are there major complaints or negative reviews from consumers?
__ Is the site physically secure?
Information about cyber risk:
__ Security rating
__ Assessment questionnaire
__ IT system outline
__ Are any assets exposed to the open Internet?
__ Is there a history of data breaches?
Classify your service providers from highest to lowest risk asking the following questions:
__ What service does this organization provide?
__ Who owns the relationship with this provider?
__ Is this provider tied to your organization’s most critical business operations?
__ What data do they have access to?
Analyze your risk:
__ Calculate your risk using this formula: Risk = Likelihood of a Data Breach X Impact of a Data Breach/Cost
__ Set a risk rating of high, medium, or low
__ Compare the above information with your risk appetite and determine whether your organization should pursue a relationship with the service provider
Your work isn’t done when you understand the risks associated with each of your service providers. It’s your job to monitor your third parties continuously to ensure they don’t become lax and put your data at risk.
SecurityScorecard can help you do this in a few ways. For example, our platform can document a service provider’s security rating, relate it to their risk tolerance, and use it as a qualitative metric that links to both data controls and financial stability. Additionally, our easy-to-digest grades of A through F make it easy to explain risks to your board.
Our continuous monitoring also scans and identifies leaked credentials and other factors that will let you know if your third parties have been the victims of social engineering. Your service providers might be providing employee security awareness training, for example, but SecurityScorecard can tell you whether that training has worked.
Lastly, SecurityScorecard’s intelligent tool Atlas can help you streamline your third party risk assessment process by comparing service providers’ questionnaire responses to previous questionnaires and the platform’s analytics.
Managing third party risk can be difficult. With SecurityScorecard, organizations can make the process simpler and gain a window into their service providers’ risk.
Vendor management is the process an organization utilizes to assess and manage a third- or fourth-party vendor. Learn how SecurityScorecard can help.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.