Posted on May 11, 2018
Since the massive Target data security breach in December 2013, third-party cybersecurity stopped being an afterthought and started becoming one of the top security priorities for CISOs and risk departments. As a response, third-party risk management (TPRM) underwent a transformation in early 2014, and it continues to evolve today.
With attackers finding new ways to break into third-party networks in hopes of infecting a larger organization, the third-party ecosystem is more susceptible than ever before. That said, large organizations and enterprises are increasingly using third-party vendors to help streamline operations. Many have passed the responsibility of critical business services, such as HR functions, data storage, and modes of communication onto cloud-based third parties.
Without a modern TPRM program, many of these vendors are left behind in security risk management, putting organizations in a vulnerable position. Let’s take a look at some of the leading challenges surrounding third-party vendor risk management, and the steps your IT security team can take to overcome them.
Vendor management is the process an organization utilizes to assess and manage a third- or fourth-party vendor. This can include activities ranging from vendor selection, to contract negotiation and risk reduction. As organizations continue to work with third-party vendors, it’s important that they consider the level of access that these vendors may have. With access to some of an organization’s most sensitive data, third-party vendor cybersecurity is not a consideration that should be taken lightly.
When vendor relationships are effectively managed, organizations are able to confidently oversee their entire supply chain’s ecosystem and identify opportunities to negotiate lower costs and better service agreements.
Additionally, the cost of a third-party data breach is on the rise, meaning vendor management cannot be overlooked. In 2020, organizations spent an average of nearly $3.9 million on third-party vendor-related security incidents. With this in mind, the benefits of successful third-party vendor risk management are clear.
Over 50% of organizations have experienced a data breach due to their third-party vendors, but TPRM programs don’t often take a risk-first perspective when it comes to risk management. Security and vendor risk departments are often solely focused on compliance. While that is important, it doesn’t get to the heart of the risk posed by your third-party vendors.
To shift the approach of your TPRM program to measure true risk, you’ll need to make some adjustments in how you manage third parties. Here are the three top third-party risk management challenges and the best practices your organization can implement to bolster your TPRM program:
As they increasingly embrace digital transformation, more businesses than ever are relying on third-party vendors. As businesses undergo IT and infrastructure digital transformation, the mounting need to manage vendors is clear. Over 60% of respondents from a Ponemon Institute survey on Third-Party Risk Management believe that the Internet of Things increases third-party risk significantly. 68% believe the same is true for cloud migration.
However, as more third-party vendors are brought in, they’re often not managed to match the level of cybersecurity risk they carry. Worse, they may not be managed at all due to a lack of resources. This creates an unmanaged security risk. If these third parties have access to your network, your employees’ PII, or your customers’ sensitive data, they should be subject to rigorous risk management assessments.
Unfortunately, as the number of third parties continues to rise, it’s often not feasible for every vendor to be assessed in the same critical fashion. That’s why having an automated risk assessment tool for assessing vendors is a way to ensure you’re minimizing unmanaged risk from both new and existing vendors.
Automating your TPRM process is one of the major steps towards having a mature TPRM department. Its benefits include:
By automating the TPRM process, you’re creating a standardized structure that can be applied to all third parties, whether existing or onboarded. You can automate your TPRM process by finding new technologies or tools that will automate vendor risk assessments and the information-gathering process for your third-party vendors. This helps to ensure that you’re optimizing your resources and spending company time on what is most impactful.
Third-party vendors are often assessed through questionnaires, onsite assessments, or via penetration tests. Each has its own advantages and disadvantages. Onsite risk assessments and penetration tests are resource-intensive, requiring time, money, and staff in order to carry out the assessments. Because of the costs, these kinds of assessments cannot be used for all vendors and should be reserved for the most risk-critical third parties.
That leaves questionnaires to fill the void for most of the other vendors. However, questionnaires are self-reported, which makes using a ‘trust, but verify’ approach to risk management difficult to accomplish.
A recent survey found that those who had invested in risk management programs are performing better amid changes such as the COVID-19 pandemic. Those who did not have struggled to independently verify the security posture of their third-party vendors who are, for obvious reasons, incentivized to report positively on their performance .
Organizations should find independent third parties that can provide risk-based assessments of their third parties to validate that the findings from questionnaires are a realistic portrait of the state of a third-party vendor’s security. There are a number of cybersecurity solutions that provide risk-first third-party assessments. To find the right solution, you should research whether or not those solutions:
The assessment methods mentioned in the previous section all have one glaring flaw in common – they assess third-party vendors at a single point in time. Many times, the information gathered by security risk assessments is outdated by the time it falls into your hands. The speed at which hackers are developing new attacks and exploiting vulnerabilities is too fast for point-in-time assessments or annual reviews to provide any insight into the real security posture of a vendor.
A PWC Third-Party Risk Management report on the finance industry noted that 58% of companies using ad hoc monitoring experienced a third-party service disruption or data breach, compared to only 37% of those that regularly monitor their providers and partners. Without having a way to know the security posture of your third parties on-demand, you’re managing risk with a blindfold on. By only having point-in-time information that can quickly become outdated, your ability to react to new vulnerabilities, or worse, a potential third-party cybersecurity incident, is negligible.
Implementing a continuous monitoring process into your third-party risk management is a very effective way to decrease your reaction time and increase visibility into the security posture of your critical third parties. Through continuous monitoring, you’re bolstering the security of your third party by keeping them consistently accountable, which in turn, minimizes your overall risk of a potential security incident.
As organizations onboard more third-party vendors, visibility becomes increasingly difficult to maintain. In many cases, this means that critical risks or gaps in security are more likely to fall through the cracks. With the number of regulatory mandates on the rise, such as GDPR, HIPAA, PCI, and more, organizations can’t afford to risk falling out of compliance.
An effective third-party risk management program should allow your IT security team to confidently oversee the cybersecurity posture of your organization’s entire supply chain, including third- and fourth-party vendors. This enables a more proactive approach to compliance and vendor due diligence and ensures that your organization is able to consistently prove compliance with various industry standards.
One of the first steps of establishing a central TPRM program is to prioritize and identify your most risk-critical and business-critical vendors, and then define your third parties’ security controls and processes that you’ll monitor on an ongoing basis. If you have the resources, look for automated risk assessment tools and solutions that offer continuous monitoring for your third-party vendors.
Updating your third-party vendor risk management program doesn’t have to be a complete overhaul of your department. Instead, you should use a risk-first perspective to define the aspects that are the most critical to update. The four we highlighted here will yield the most dramatic changes in a TPRM program, reducing your unmanaged risk and reaction time, should a security incident occur.
By automating aspects of your TPRM program, using independent third-party assessments, adopting continuous monitoring, and maintaining regulatory compliance, you’re not far from having a mature TPRM program that can easily assess any new third-party vendor as it comes, keeping your organization safe.
Vendor management is the process an organization utilizes to assess and manage a third- or fourth-party vendor. Learn how SecurityScorecard can help.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.