Posted on Mar 27, 2020
The world is more digitally connected than ever before. In fact, the United States experienced a 159% increase in remote employment between 2005 and 2017, even before organizations began asking employees to work remotely as part of their Coronavirus protection strategies.
Organizations recognize that their third-party business partners can contribute to their data breach risks. However, those third-parties also outsource work to vendors which further exacerbates the already disconcerting visibility issues associated with the supply chain. With more employees throughout the supply chain working remotely, organizations need better insight into who their fourth-party vendors are and find a way to mitigate the risks associated with those, often invisible, risks.
Organizations have the ability to communicate with their third-party vendors. They hire them, engage in due diligence, establish contractual obligations, and can maintain governance over their security controls.
However, most organizations rely on their third-party vendors when it comes to the fourth-party vendors in the ecosystem. A May 2018 Compliance Week article notes the following findings from a survey with 102 respondents:
Third-parties continue to pose a third-party data breach risk, but organizations need to not only monitor their own third-parties but also take a more active approach in managing the risks that their vendors’ third-party partnerships pose.
When you stop and think for a moment, all data breaches arise from a similar set of circumstances. Whether your organization, your third-party’s organization, or your fourth-party’s organization experiences a data security incident, similar causes led to all of the weaknesses.
However, unlike your own vendors, you likely have little or no contact with your fourth-party vendors. Mitigation strategies that work for third-parties often become untenable when digging deeper into the supply chain.
The first step to mitigating third-party data security risk is to “know your vendors.” While organizations may struggle with this, they have resources such as their IT asset list or their vendor payment records. Unfortunately, when trying to determine fourth-party risks, they lack these resources. Even if you can get a list of vendors that third-parties use, the number of organizations in the supply chain rapidly becomes overwhelming.
According to research, 182 vendors access an organization’s IT systems every week. If you have 182 vendors and each of those vendors contracts with 182 additional third-parties, you are connected to 33,124 potential fourth parties. That’s a lot of monitoring, too much for most organizations to manage.
Assuming you have a minimum of 33,124 third- and fourth-party vendors to monitor, you can’t effectively report the risk to senior-level executives and your Board of Directors. The information overload and time it takes to continuously monitor all of these attack vectors overwhelms people and increases your cybersecurity costs exponentially.
Your contracts are with your vendors, not their third-party business partners. Since those fourth-parties have limited responsibility to you and you have limited visibility into their security controls’ effectiveness, you lack the protections and control. You can consider holding your vendor accountable, but you still need to monitor their monitoring. In short, it becomes a complex web of relationships, reporting, and governance.
With the proliferation of privacy and cybersecurity regulations requiring documentation over continuous monitoring strategies, organizations find themselves struggling. With an increasingly distributed workforce, organizations need to understand their fourth-party risks in new ways.
Creating a third-party risk monitoring strategy that incorporates a full view of vendor risk can also provide visibility into these traditionally invisible fourth-party connections. For example, if you create a third-party vendor monitoring profile that can monitor access to the vendor’s network, you gain insight into the fourth parties who access that network.
The sheer influx of information arising from fourth-party risk monitoring can be overwhelming. However, an organization that can monitor its third-party vendor risk can more easily manage the depth of information necessary.
For example, if your risk is tied to your third-party ecosystem, then your third-party risk is also tied to the way that your vendors manage their third-parties. With all this information, you need at-a-glance visibility into your riskiest third-parties so that you can more deeply investigate where their risks come from.
Once you know which vendors pose a greater risk, you need to look into what security controls impact your organization and how those potentially indicate a fourth-party data breach risk.
Patching cadence, or how regularly a vendor applies security patches, may not indicate a fourth-party risk because it relates to an organization’s processes around their own systems, network, and software. However, endpoint security might give insight into vendor third-party devices that pose a risk which gives you an opportunity to talk to your vendor about their management of this risk. Additionally, reviewing web-application security for your third-party vendors can give insight into your vendors’ third-party - or your fourth-party - risks.
Identifying potential fourth-party risk via third-party risk monitoring gives you a way to compare vendors’ security across your ecosystem. If your service level agreements (SLAs) discuss ensuring vendor risk management, then being able to compare third-parties to each other gives you a way to show metrics across your fourth-party ecosystem.
For example, if Vendor A has a problem with web-application security and Vendor B does not, the lack of Vendor A’s vendor risk monitoring increases your organization’s fourth-party risk. You can review these comparisons and give better benchmark reporting to senior leadership and your Board of Directors by using the easy-to-read risk scoring.
SecurityScorecard’s security ratings platform enables robust fourth-party vendor risk management by enabling organizations to create vendor profiles that provide visibility across ten groups of risk factors, including DNS health, network security, IP reputation, endpoint security, web application security, hacker chatter, leaked credentials, and social engineering. Our easy-to-read A-F rating system provides a high-level view of your security and your vendors’ security while also allowing you to dig deeper into the individual risk factors, if necessary.
Although your fourth-party vendors appear disconnected from your own IT environment, the reality is that the risk they pose to your vendors needs to be incorporated as part of a holistic vendor risk management program. The interconnected IT ecosystem needs to be continuously monitored to ensure governance over your cyber risk and meet evolving compliance needs.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 9 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.