What is Third-Party Security Risk Management (TPSRM)?
The terms vendor risk management (VRM) and third-party risk management (TPRM) are often used interchangeably. But they are actually different when it comes to how you manage risk with them. Vendors are the organizations you purchase goods or services from – suppliers, service providers, etc. Third parties also include partners, contractors, consultants, applications – any organization you interface with to conduct your business, as well as their third parties. This article will focus on third-party security risk management (TPSRM), the cybersecurity portion of your third-party risk management program.
You need to ensure that every third party has and maintains an acceptable level of cybersecurity on an ongoing basis so that you can safely do business with them. To that end, the goal of TRSRM is to identify, classify and categorize the cyber risk associated with every external party that your organization interfaces with.
Your Cyber Attack Surface Has Expanded
Organizations are paying a lot more attention to the cybersecurity posture of their third parties – for good reason. Your attack surface has expanded dramatically. Any company that has access to your IT infrastructure, whether in person, such as an IT contractor, or programmatically, such as a machine-to-machine software partner, presents a potential attack point for a hacker. But it is impossible to be successful as an organization today without interfacing or having a relationship with third parties. The average organization increased its usage of cloud services by 15% in 2020 and the amount of sensitive data shared on the cloud increases 53% year over year. More work is being done from remote and home locations with less comprehensive security, further opening the door to hackers. As the attack surface has expanded so have the number and severity of security breaches originating from third parties.
- One-third (32%) of large organizations in a Kaspersky survey in 2021 suffered cyberattacks involving data shared with suppliers. The financial impact averaged $1.4 million.
- Nearly three-quarters (70%) of organizations responding to a Crowdstrike survey experienced a cyberattack originating through their software supply chain.
- 31% of third-party vendors could cause significant damage to organizations if breached, according to TechRepublic.
Your TPSRM Program
Cybersecurity is likely the most dynamic element relative to the other components of your third-party risk management program and needs its own specialized tools. To mitigate the potential for a cybersecurity breach originating from one of your third parties you need to have a comprehensive TPSRM program. It will not only reduce risk but also make your third-party relationships more efficient and productive. Your TPSRM program should address three elements: context, visibility, and engagement.
Context
All of your third parties pose some level of risk. But the vendor providing office supplies does not present the same risk as the cloud service providing your data storage. How much time and effort you spend on third parties should be governed by what they have access to, how crucial they are to your operation, how data flows and who has access, and whether they are doing business with subcontractors and other service providers.
Visibility
You can’t protect what you don’t know about or can’t see. The number of third parties that organizations deal with has exploded over recent years. ThreatPost discovered that “nearly 75% of the IT infrastructure of a typical Fortune 500 company is external to the organization.” It isn’t uncommon for the security department not to know who all of their third parties are. So your first step in creating a comprehensive TPSRM program is identifying your third parties—all of them.
Once you have identified your third parties, deploy a security questionnaire and an external cyber posture assessment so you can easily verify every third party’s security policy and posture. The questionnaire needs to be automated so it is easy to administer and scale, and targeted so the questions apply to the third party and its relationship with you. An external assessment can provide a picture of the third party’s exterior attack surface. But the questionnaire and security assessment only provide security information at a point in time. And they don’t tell you if the third party is actually following its internal security policies. For that, you need to have engagement.
Engagement
The security questionnaire and security assessment are only the starting point of a comprehensive TPSRM program. Remediation or mitigation plans should be provided to the third party, along with visibility about how cyber gaps were found. You should then set realistic deadlines and provide an intuitive method for communication. In short, you and your third party should establish a collaborative business relationship.
Mitigating Third-Party Cybersecurity Risks
Your cyberattack surface expands with every third party you do business with. But you can mitigate the potential for your organization to suffer a breach caused by one of your third parties by establishing a comprehensive third-party security management program. A program that includes continuous monitoring helps you stay on top of your vendors’ cyber posture. Panorays can help you set up and administer a TPSRM program that works for both you and your third parties. Learn more by downloading
The CISO’s Guide to Third-Party Security Management.