Once upon a time, a company’s IT network was like a fenced-in estate, protecting sensitive data and proprietary information: only employees with correct access information and company-owned devices could enter. Remotely logging on to a company server was a big deal, often reserved for senior management, who had to navigate many levels of access control and special clearance.
Those days are now long gone. Telecommuting and remote work was already on the rise before COVID hit and sent even more employees to the world of remote work. At the same time, Bring Your Own Device (BYOD) policies allowed for privately owned computers and cellphones to be used on an organization’s network.
It’s all part of the fast-moving digital transformation of the modern workplace, which is also introducing a host of new cybersecurity risks: each connected device opens the door to a different risk landscape, and a new level of cybersecurity threat.
Now cyberattacks make headlines every day, at a time when businesses increasingly rely on third-party applications and business partners — everything from cloud storage providers to payroll systems and much more, with abundant access to your sensitive information. Many of those third parties use other third parties themselves, leaving companies questioning whether everyone in their software supply chain is following the companies’ own strict information security protocols.
Most likely, those other parties are not. That’s why third-party risk management is so important.
What is a third-party security risk?
You may have heard of the Wipro case. Wipro is an IT company that provides services to Fortune 500 companies, banks, and governments around the globe. When Wipro was hacked in 2019, cyber criminals were able to get into networks belonging to some of Wipro’s clients and install malware there.
In early 2020, software firm Blackbaud suffered the same fate: hackers got into its cloud-based system and infiltrated some of the nonprofit and higher education organizations that use Blackbaud’s services.
These are just two examples to show you that even with outstanding security protocols and strict access control, no company is immune to cyberattacks stemming from third-party risk.
The tricky part about managing third-party risk is that you don’t have direct access to your third-party contractors’ risk and security assessments, and you may not be informed of any security issues your service provider experiences.
How do you manage third-party security risk?
Given that you will always be on the outside looking in on the security policies and standards applied by a third-party contractor (even if your vendor contract includes the right to audit and mandatory notification about breaches), there is a high level of trust involved in third-party risk assessment and third-party risk management.
Here are some steps to consider as you evaluate and assess your third-party business associations and get a better understanding of the critical risks you may be exposed to:
Establish a vendor management program.
Take an in-depth look at your supply chain and the ecosystem of other businesses connected to yours. Assess your third-party vendors by having each one fill out a questionnaire that identifies how it deals with cybersecurity threats, and how it uses “fourth parties.” (When one of your third-party vendors uses another party to manage your data, that other party is a fourth party to you.) This is especially important for healthcare organizations, because all external vendors must be HIPAA-compliant.
A vendor management program is not a one-and-done, either. Your risk assessments and questionnaires to vendors should be updated regularly as cyber criminals change their tactics over time, and as your operations evolve and you use vendors in new ways.
Rank vendors according to the risk they pose.
Catalog all third-party security risks and rank them according to severity. Use a disciplined, rules-based approach to assure consistency in your analysis. Also try leveraging existing vendor risk assessments, such as the Shared Assessments Program, to stay current with industry standards.
Assure that third-party apps employ proper protocols.
With ever more apps hosted in the cloud, properly integrated security is imperative. Begin by establishing oversight: identify the people who will be responsible in case a data breach does occur, and make sure you have plans for remediation.
For Cloud-based vendors, McAfee provides a great breakdown of potential security issues and responsibility. Make sure all potential vendors are asked about application security as part of your standard onboarding procedure.
Practice endpoint security.
Every device that connects into your IT system is an endpoint. It may be relatively easy to maintain network security with company-owned terminals, but if you allow BYOD, then your security standards have to change to accommodate that expanded risk.
Commercial cloud systems have significantly increased endpoint risk. Enforce a network-wide usage policy, and find an endpoint security product that offers strong real-world protection.
Keep current with third-party vulnerabilities.
Some great third-party big data tools are available that can provide vulnerability intelligence. The National Vulnerability Database is operated by NIST and is the biggest and best one.
How do data security and data privacy differ?
Any conversation about third-party vendor security must also address privacy. This is especially important if you have clients or customers in the European Union, because the General Data Protection Regulation (GDPR) requires that you disclose how you store sensitive data, and also how you use or share it. Always keep privacy risks in mind as you move ahead with your third-party security and risk assessment.
ZenGRC makes it easy to manage third-party security risks.
While you are busy running a business and getting back on track after COVID, let us help you discover, mitigate and manage third-party security risks.
ZenGRC is intuitive and easy to use, and it will help you hone your cybersecurity strategies no matter how complicated and far reaching your supply chain is.
Using the latest in automation and artificial intelligence, ZenGRC will send you real time alerts and updates allowing your IT team to quickly remediate any cyber incident before it becomes a cyber disaster. Contact us for a demo today.