Posted on Jun 25, 2020
Third party vendors aren’t the only service providers your organization needs to examine and audit. You should also be keeping tabs on their vendors as well.
It can be tough to know where to draw the line on your vendor’s vendors, also known as fourth party vendors. Are you required to manage all fourth party vendors? Well, let’s look at the following possible scenario:
If your company enlists the services of 50 vendors in your supply chain and 20 of them are utilizing a particular provider for a critical service, what happens if that critical service provider is hacked or experiences downtime?
Even small service providers can cause a major disruption to your organization’s day to day dealings. For instance, in 2016, DNS provider, Dyn, experienced a denial of service (DDoS) attack, which resulted in numerous customers, including PayPal and Amazon, to go offline during the attack. If your company had used Dyn’s DNS services, you could have been impacted by the outage.
Here’s everything you need to know about fourth party vendor risk management in order to keep your company safe.
A fourth party vendor is a service provider whom you do not have a direct contract with. However, your vendor does have a business relationship with them for their services or products. As with your enterprise, your vendors are deeply dependent on some of their vendors, and these are the ones you need to keep an eye on. These vendors will show up in your vendor’s SOC reports and should be identified by your service provider as those classified as crucial in their own vendor management matrix.
With the introduction of SSAE 18 reports to the market in 2017, your third party vendors are responsible for telling you about their critical vendors, or your fourth parties. This makes it simpler for you to know exactly which ones you should be vigilantly monitoring.
You should understand the following three items about your fourth party vendors, including:
When you thoroughly understand these three aspects of your fourth party vendors, you can better anticipate possible threats that could be residing a level deeper. A breach to a fourth party vendor could be as impactful as a breach of your third-party service provider.
Here are several ways a fourth party vendor could be a risk to your organization:
Here are some steps you can take to thoroughly evaluate fourth party risks:
Most fourth party vendors will carry some level of threat to your enterprise. If you find out that the fourth party does present a significant risk to your business, you should:
SecurityScorecard’s security ratings platform allows your business to create vendor profiles that provide a clear visibility across 10 groups of threat factors, including network security, endpoint security, web application security, social engineering, and hacker chatter.
Despite the fact that you don’t have a working relationship with fourth party vendors, they still can pose a real threat to your ecosystem. Continuous monitoring and due diligence are critical to keeping your business safe and sound.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 9 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.