Reading the statistics and poring through articles about recent third-party security breaches may educate you about current cyber dangers, but it won’t actually solve anything. The best way to minimize your risk of third-party cyberattacks is by implementing a comprehensive and efficient Third-Party Security Risk Management (TPCRM) process.
But if you’re like many, you are part of a small team charged with managing this process, and you might not know where to begin. Here are three important tips to help get you started:
Tip 1: Assess Inherent Risk
Any time you work with a vendor, it poses a certain amount of potential risk. Inherent risk is the level of untreated risk inherent in a process when nothing has been done to reduce the risk. While reliance on third-party vendors is necessary for doing business, your inherent risk can also be greatly affected by those vendors, because essentially, their risks are also your risks.
To put it in layman’s terms, an open door to your office is an inherent risk; a burglar can just walk in and take something valuable. Putting a lock on a door acts as a deterrent from someone being able to walk in and take something. However, a certain level of risk, known as residual risk, can always exist.
The correct approach to handling inherent risk is to:
- Assess the various risk levels by understanding how much risk you and your vendors face.
- Take proactive steps to reduce risk and the likelihood of experiencing any possible adverse effects from the risk.
- Monitor risks on an ongoing basis to keep security risks at a minimum and ensure compliance and consistency are enforced.
Tip 2: Consider Control Frameworks
A control is a safeguard or countermeasure to avoid, detect, counteract or minimize risks. As an organization, you need to measure yourself using a control set which consists of a number of metrics put together. And because you are measuring yourself with a certain control set, you also must measure your suppliers with the very same control set.
Control frameworks such as NIST, ISO 27001/2:2013 and CIS are standards for information security and privacy that form the basis of a company’s enterprise security risk management policy. Government regulators enforce standards for information security and privacy for various industries with regulations such as GDPR (data privacy), EBA Guidelines (banking), CCPA (data privacy), HIPAA (health privacy) and many others.
Controls are about business. You need to safeguard the technology that runs your business and secure the data that is the lifeline of that business. By implementing these controls, you are creating an acceptable residual risk level for your organization.
Tip 3: Tier Your Third Parties
It is important to look at all of your suppliers and tier them according to their inherent risk level. Not all suppliers are treated equally because each one presents a different level of risk to your organization.
Let’s suppose you have three different suppliers: a pencil supplier, an e-commerce merchant provider and someone who sprays your plants at the office. Each third party represents a different level risk to your organization based on the pillars of inherent risk:
- Criticality: How long can your business operate without the services of this third party?
You can live without the pencil supplier and the plant sprayer for a prolonged period of time, but you can’t live without your e-commerce merchant who is processing credit card information for your business.
- Sensitivity: How sensitive is the data we will share with this third party?
While you may not be sharing sensitive data with your pencil supplier and your plant sprayer, you’re sharing credit card and other private data with your e-commerce merchant.
- Access: Which virtual or physical assets will the third party have access to? Your pencil supplier may not have access to your data, but your e-commerce merchant certainly does, as does your plant sprayer who is entering your physical facility and has access to loads of sensitive information. Of course, virtual vendor access must also be considered as an inherent risk.
With these important third-party distinctions in mind, you can now tier your suppliers accordingly.
Interested in learning more about setting up a TPCRM process for your organization? If you want to understand how to create security questionnaires that consider inherent risk, how to scope questionnaires appropriately and how automation helps with third-party security risk management, check out our recent webinar.