While independent studies have repeatedly shown roughly three out of five reported data breaches stem from a third-party relationship, the simple fact of the matter is that many organizations still cannot effectively quantify their cyber risk attributable to third parties.
While the best third-party risk management (TPRM) programs coordinate the efforts of stakeholders from across the business, there are specific considerations that impact cybersecurity and should be a part of any program, whether overarching or focused only on IT vendors.
Due to its overall complexity, TPRM is an elephant that must be eaten one bite at a time. Vendor-specific knowledge is often decentralized and third-parties can be hesitant to share details about the internal safeguards they have implemented. For these reasons, security professionals will benefit greatly from partnering with the primary business owners of each relationship. We have outlined the following high-level steps that programs of any maturity level can include in their TPRM program.
1. Know Your Third Parties
This is often not as straightforward as it sounds. Most organizations do not have a single vendor repository, and there may be third parties that fit outside the traditional definition of a “vendor”. An important first step in TPRM is building not only a complete listing of third parties, but also understanding how each third party interacts with organizational data or supports critical business functions. Schneider Downs recommends defined processes for the identification of new vendors, closure of terminated third-party relationships, and reconciliation of the existing vendor list.
2. Leverage the Pareto Principle
While the 80/20 rule is not absolute, most organizations will find that a small subset of third parties expose the enterprise to the greatest risks. For instance, a security incident impacting a cloud provider, internet service provider, or utility company will clearly cause greater downstream effect than the compromise of a supplier of office supplies or furniture.
Assessing the criticality of each vendor using the CIA triad of confidentiality, integrity, and availability is straightforward way to rank the inherent risk of third-party relationships. Once all vendors are identified and ranked by criticality to the organization’s strategic goals, we recommend selecting a subset of the highest risk partners (top 20 percent, top 10, etc.) to perform detailed risk treatments for in the following steps.
3. Set Your Ground Rules
It can be easy to ask for the world when developing standards for third-party cybersecurity, but most security professionals should understand that business objectives often take priority over risks. Lengthy questionnaires and complex requirements for security complicate the vendor selection process, leading to both frustration amongst internal stakeholders and misdirected focus on low-risk vendors. Third-party requirements should be tied to common cybersecurity risks and be revisited regularly to address emerging threats. A few baseline examples include:
Requiring all third-parties agree to a standard notification process in the case that they experience a data breach
Specifying baseline levels of encryption that must be implemented by any third party storing or processing organizational data
Standardizing policies for network access, BYOD, etc. for vendors and contractors
Requesting and reviewing appropriate SOC reports from vendors based on their relationship
Documenting requirements for the disposal of organizational data at the termination of a relationship
4. Rinse and Repeat
Once the cyber risks around a given set of third parties are considered “managed” (i.e., the inherent risks are documented and residual risks have been addressed either by requesting action by the vendor or by an internal exception process), the entire process can be repeated for lower risk relationships. Schneider Downs recommends the highest risk vendors be evaluated annually for any major changes, but known security events should trigger an immediate review of a vendor at any risk level.
This article is part of a series exploring the importance of third-party risk management programs, you can view additional articles below.
View our entire Third Party Risk Management article library here.
About Schneider Downs Third-Party Risk Management
Schneider Downs is a registered assessment firm with the Shared Assessments Group, the clear leader in third-party risk management guidance. Our personnel are experienced in all facets of vendor risk management, and have the credentials necessary (CTPRP, CISA, CISSP, etc.) to achieve meaningful results to help your organization effectively achieve new vendor risk management heights.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.