Popular Posts

The Most Common Third-Party Cyber Gaps Revealed

4 Ways to See if You Are at Risk of a Vendor…

Reading the statistics and poring through articles about recent third-party security breaches may educate you about current cyber dangers, but it won’t actually solve anything. The best way to minimize your risk of third-party cyberattacks is by implementing a comprehensive and efficient Third-Party Security Risk Management (TPSRM) process.
But if you’re like many, you are part of a small team charged with managing this process, and you might not know where to begin. Here are three important tips to help get you started:
Any time you work with a vendor, it poses a certain amount of potential risk. Inherent risk is the level of untreated risk inherent in a process when nothing has been done to reduce the risk. While reliance on third-party vendors is necessary for doing business, your inherent risk can also be greatly affected by those vendors, because essentially, their risks are also your risks.
To put it in layman’s terms, an open door to your office is an inherent risk; a burglar can just walk in and take something valuable. Putting a lock on a door acts as a deterrent from someone being able to walk in and take something. However, a certain level of risk, known as residual risk, can always exist.
The correct approach to handling inherent risk is to:
A control is a safeguard or countermeasure to avoid, detect, counteract or minimize risks. As an organization, you need to measure yourself using a control set which consists of a number of metrics put together. And because you are measuring yourself with a certain control set, you also must measure your suppliers with the very same control set.
Control frameworks such as NIST, ISO 27001/2:2013 and CIS are standards for information security and privacy that form the basis of a company’s enterprise security risk management policy. Government regulators enforce standards for information security and privacy for various industries with regulations such as GDPR (data privacy), EBA Guidelines (banking), CCPA (data privacy), HIPAA (health privacy) and many others.
Controls are about business. You need to safeguard the technology that runs your business and secure the data that is the lifeline of that business. By implementing these controls, you are creating an acceptable residual risk level for your organization.
It is important to look at all of your suppliers and tier them according to their inherent risk level. Not all suppliers are treated equally because each one presents a different level of risk to your organization.
Let’s suppose you have three different suppliers: a pencil supplier, an e-commerce merchant provider and someone who sprays your plants at the office. Each third party represents a different level risk to your organization based on the pillars of inherent risk:
You can live without the pencil supplier and the plant sprayer for a prolonged period of time, but you can’t live without your e-commerce merchant who is processing credit card information for your business.
While you may not be sharing sensitive data with your pencil supplier and your plant sprayer, you’re sharing credit card and other private data with your e-commerce merchant.
With these important third-party distinctions in mind, you can now tier your suppliers accordingly.
Interested in learning more about setting up a TPSRM process for your organization? If you want to understand how to create security questionnaires that consider inherent risk, how to scope questionnaires appropriately and how automation helps with third-party security risk management, check out our recent webinar.