A recent Ponemon survey of third-party risk revealed that less than half of organizations (40%) believe that their third parties’ data safeguards and security policies and procedures are enough to prevent a data breach. For example, more than half (53%) of respondents rely solely upon their third party to notify their organization when data is shared with n-th parties. Only 43% of organizations regularly review their internal third-party management policies and programs as the cybersecurity and regulatory landscapes continue to evolve.
In this post, we’ll explore different vendor cybersecurity best practices to strengthen third-party risk management.
Best Practices for Vendor Cybersecurity: The Importance of Managing Third-Party Risk
Third-party risk is any operational, cyber, reputational, financial, regulatory, or legal risk posed to an organization through a vulnerability or weakness of a third party. According to the same survey, 59% of organizations experienced data breaches involving a third-party vendor, with 38% stating that the breach originated from an n-th party. As organizations increasingly rely on third parties (and these third parties outsource to fourth parties), a proactive approach to third-party risk is critical to minimizing third-party risk.
Recent examples of third-party security incidents include:
- Crowdstrike. A defective software update from Microsoft’s third-party cybersecurity firm, Crowdstrike, led to widespread global operational disruptions. Although it wasn’t a cyber attack, the incident led to over 5,000 flight cancellations worldwide, delays in emergency response times and patient care, and disrupted news broadcasts.
- National Public Data. A malicious third-party actor gained unauthorized access to 2.7 billion records with personally identifiable information (PII) that included names, dates of birth, addresses, and social security numbers of individuals. Although NPD initially claimed the breach only impacted 1.3 million people, that number might rise after additional investigation. The exposed data could also lead to future security incidents, including phishing, social engineering, authorization bypassing, and accounts authorization.
- AT&T Third-Party Breach. In December 2023, a data breach exposed the customer data of more than 8.9 million customers. The breach originated from an undisclosed third-party telecom company that included data that should have been deleted by the third party. As a result of not having a strong enough data protection policy in place for its third parties, AT&T was fined $13 million by the FCC.
4 Steps to Assess Vendor Cybersecurity Before Onboarding
The cybersecurity landscape is becoming more complex every day. It’s no longer sufficient to evaluate your vendor’s security posture alone — you must also examine the security policies of their third parties, suppliers, and outsourced services.
Here are the steps your organization can take to achieve this:
Step 1) Identify and Classify Vendors
The first step to a strong internal vendor cybersecurity best practice is to gain better visibility into your extended supply chain. You’ll do this by mapping your supply chain, identifying third, fourth, fifth, and n-th party vendors and their business relationship to your organization. This is especially critical as enterprise-level organizations may have hundreds of third-party vendors that they increasingly rely on for critical systems. Classifying these vendors according to the access of sensitive data and the level of risk each poses to your organization helps it prioritize which risks it should address and mitigate first to improve its cybersecurity posture.
Step 2) Perform Thorough Due Diligence
Before entering into a new vendor relationship, your organization should thoroughly examine the vendor’s cybersecurity practices, its relevant certifications, and adherence to regulatory frameworks (e.g., NIST CSF, SOC 2, or ISO 27001). Your security and TPRM team can conduct this thorough investigation by sending due diligence questionnaires, performing background checks on management or other key employees, monitoring news and information of the vendor’s (and its third parties) cybersecurity practices, scandals, and understanding the operational risk posed to the organization in the event of a data breach or security incident in the vendor’s supply chain.
Ideally, thorough due diligence should be conducted throughout the vendor lifecycle to best reduce and mitigate risk.
Step 3) Use Risk Assessment Questionnaires
Existing vendors should also be continuously evaluated for their security posture through regular risk assessment questionnaires. Broadly speaking, your risk assessment questionnaires should align with your organization’s business goals. For example, if it wants to ensure business continuity in the event of a data breach or security incident, the risk assessment questionnaire should evaluate its reliance on third parties that can also deliver operations without disruption. The questionnaire should also include questions that assess the vendor’s internal cybersecurity practices and their potential for risk. These include the vendor’s incident response and management protocols, data encryption protocols, access controls, network security, security awareness programs, and third-party risk management processes.
Step 4) Request Relevant Documentation
Vendors must show evidence that they are adhering to compliance and best practices for cybersecurity. These types of documents can include results of penetration testing, data protection policies (e.g., GDPR, HIPAA), security audits, and the vendor’s TPRM assessments that demonstrate its examination of risks in the supply chain. Documented internal policies on incident response, business continuity, disaster recovery, vulnerability management, and patch management provide critical insights into an organization’s commitment to cybersecurity.
Best Practices for Continuous Vendor Cybersecurity Management
Once you’ve onboarded a client, you’ll want to establish vendor cybersecurity best practices from day one. Setting up clear technical cybersecurity expectations from the beginning is much easier than shifting gears once a vendor relationship is in place.
These best practices should include:
- Establishing clear access controls to minimize exposure to sensitive data and ensure compliance with regulatory requirements.
- Requiring multi-factor authentication (MFA) as an extra layer of security and demonstration of commitment to cybersecurity practices.
- Implementing continuous monitoring to maintain and strengthen best cybersecurity practices after onboarding a new vendor.
- Conducting regular cybersecurity audits to identify cyber gaps while building trust and transparency between the organization and third party.
- Data encryption and secure transfer to ensure secure storage and transfer of customer data from your organization.
Establish Clear Access Controls
Minimize the risk of unauthorized access to sensitive data in your organization by limiting user access to only those who need it. These permissions can be granted based on the vendor’s role (Role-Based Access Control), or specific rules Rule-Based Access Control). Your organization may also adopt the Principle of Least Privilege (PoLP) or Zero Trust approach, and apply access based on any combination of these approaches. After evaluating the different third parties and their individual access requirements to sensitive data in your organization, you’ll be able to determine the different permissions you’ll grant to each.
Require Multi-Factor Authentication (MFA)
Technical controls such as multi-factor authentication (MFA) can also strengthen vendor cyber posture by adding an extra layer of security to access its network and data. Implementing MFA also demonstrates that an organization takes its cybersecurity seriously and helps it adhere to specific regulations that require it. Advanced MFA solutions integrate with additional security measures to detect unusual user behavior, such as network access attempts from unrecognized locations or multiple login attempts within a short timeframe. Vendors should also consider using forms of authentication that are phishing resistant, such as biometric or app-based codes as opposed to one-time passwords or SMS authentication, which is susceptible to phishing and identity-related cybersecurity attacks.
Implement Continuous Monitoring
It’s not enough to implement vendor cybersecurity best practices at the beginning of your business relationship – these practices must be maintained. This is only possible if you continuously monitor your vendor to ensure that their cybersecurity practices are capable of detecting and mitigating against emerging cyber risks such as the latest CVEs and KVEs, upcoming software updates, and security gaps in the vendor’s suppliers or subcontractors. Various tools and methods exist to help organizations with continuous monitoring such as risk scoring, third-party risk management platforms, cybersecurity questionnaires, clearly defining vendor security standards in service-level agreement (SLAs), and scheduling regular cybersecurity audits.
Conduct Regular Cybersecurity Audits
Having your risk management team or third-party auditors conduct regular onsite cybersecurity audits also helps strengthen your TPRM. On-site audits can include interviewing staff, inspecting facilities, and examining documentation to evaluate the vendor’s adherence to compliance and security-related clauses in their contract. The audit can discover cyber gaps in the vendor’s security and request changes in the contract to address these gaps. Regular on-site audits between your organization and the vendor also offer an opportunity to build better trust and transparency between the two parties.
Data Encryption and Secure Transfer
Implement data encryption and secure transfer of sensitive information to mitigate against unauthorized access to the data or its modification. Combined with proper access control, it can guard against insider threats, data breaches, and other cybersecurity incidents. In addition, many regulations and standards ((e.g., GDPR, HIPAA, PCI DSS) require data encryption and secure transfer to meet compliance. Vendors who incorporate this best practice into their security protocols also help foster greater trust by customers that their data is stored securely, and builds trust in your brand.
Setting Contractual Requirements for Vendor Cybersecurity
Vendor contracts should explicitly detail how the security and disposition of data and connections are to be maintained and secured throughout the lifecycle of the relationship. This includes which roles are responsible for risk assessments, on-site audits, and the roles of each party in the event that high risk is found during the assessment. They should also stipulate which standards and regulations the vendor should adhere to, data protection requirements, access controls, incident response notification timeline requirements, and responsibilities of 4th and n-th level suppliers. Finally, it must state the legal and financial liability of each party in the event of a data breach or other security incident.
Developing a Vendor Offboarding Process
Vendor contracts should also have detailed requirements for how the third party should dispose of, return, and terminate access to sensitive data. In the case of high-risk vendors it may be necessary to have an on-site audit after termination to ensure the third party has acted in accordance with the offboarding process and its data, systems, and technology do not pose a security threat.
Data breaches have made headlines when vendors have failed to properly dispose of sensitive data. In 2021, HealthReach Community Health Centers reported that the data of 116,898 patients had potentially been compromised after a worker at a third-party data storage facility failed to properly dispose of the hard drives containing the data.
The breach also led to a class action lawsuit filed on behalf of patients and employees of the healthcare organization.
Building a Culture of Cybersecurity with Vendors
Fostering a culture of cybersecurity throughout your vendor’s organization is critical but challenging. After all, you don’t have direct control over vendor practices, and many organizations lack visibility into their supply chain. They may also be resistant to change. However, you can still work together to strengthen your supply chain security together.
First, ensure your vendor contracts clearly state the vendor’s responsibility towards building strong cybersecurity practices. Require regular training and awareness in your vendor contracts and collaborate with third parties by sharing best practices and continuous feedback and improvement of security practices. This includes regularly updating policies and practices based on new cybersecurity trends and insights. These approaches help your vendor develop greater trust in your organization and a long-term approach to a stronger security posture.
The Need for Vendor Cybersecurity Best Practices
According to a recent survey of CISOs, 92% of enterprises are either in the process of implementing a designated solution for third-party risk or are in the planning stages. Only 2% of companies have implemented a designated tool for third-party cyber risk management. Yet there is still a lot organizations can do to mitigate vendor risks without specific tools. That includes building a culture of cyber awareness through training and awareness and establishing a collaborative security environment to share the latest cyber risks and best security practices. Finally, organizations should engage in continuous improvement with their vendor, regularly updating policies and practices based on new cybersecurity trends and insights. In an increasingly complex digital supply chain with evolving cyber risk and regulations, organizations need a two-fold approach. They must integrate the latest and most advanced technology and tools that mitigate third-party risk, yet combine them with vendor cybersecurity best practices that focus on creating a structured and proactive approach to vendor security.
Best Practices for Vendor Cybersecurity FAQs
-
Cybersecurity best practices mitigate risks using a number of different tactics. These include establishing clear access controls, requiring multi-factor authentication (MFA), implementing continuous monitoring, conducting regular cybersecurity audits, and executing data encryption and secure transfer of sensitive information.
-
Security and TPRM teams can help enforce vendor cybersecurity technical best practices through various tools, including vendor risk assessments, third-party risk management platforms, security risk ratings, cybersecurity questionnaires, and on-site audits and assessments. Other broader approaches include establishing security training and awareness training throughout the organization, stipulating requirements for vendor cybersecurity specifically in the vendor contract, and developing a structured onboarding process.
-
Best practices for vendor cybersecurity can support compliance through requiring specific security practices mentioned in regulations, including data encryption, strong multi-factor authentication (MFA), regular vendor audits, and the establishment of clear access controls and data privacy procedures. Conducting regular risk assessments helps the organization mitigate risks and continuously evaluate vendor compliance. Adopting incident response plans also helps organizations take a more proactive approach to TPRM and helps the vendor meet compliance deadlines required for reporting data breaches.
-
Businesses face a number of challenges when enforcing vendor cybersecurity best practices. First, they lack control of their vendor’s cybersecurity policies and must rely on other means of enforcement such as SLAs (service level agreements), vendor contracts, and due diligence. Second, they don’t have visibility into their supply chain and are often unable to identify the third, fourth, and n-th parties, not to mention the level of risk each vendor poses to their business. Finally, the regulatory and threat landscape is dynamic and constantly evolving while at the same time, many organizations’ networks and IT infrastructure, internal cybersecurity policies, and adherence to compliance can fluctuate. As a result, its cybersecurity practices and its third-party risk must be continuously monitored to proactively identify threats.
