It’s no longer enough to secure your own company’s infrastructure; you now must also evaluate the risk of third-party vendors and plan and monitor for breaches there, too. Data breaches are reported in the news all the time, and more than 60 percent of them are linked to a third-party. When you’re a business owner, that is a scary statistic.
Third-Party Vendor Security Risks
A big part of your third-party risk management (TPRM) planning should be to follow the standard practice of assessing the risk and classifying each vendor. First, make a list of each vendor and determine how integrated they are with your company, what data is exposed to them and where the potential risks lie. Next, classify each vendor into a category based on the type of risk, whether or not multiple risk areas exist with that vendor and what actions must be taken to remediate the risk. The following is a potential list of classifications for organizing your third-party vendors:
- Strategic risk
- Credit risk
- Geographical risk
- Industrial risk
- Reputational risk
- Operational risk
- Transactional risk
- Compliance risk
Another way to look at it is to classify vendors based on the data they manage for you or your relationship with them. It is essential to know how the data is being stored, handled and secured now and later after you are no longer their customer. To further classify your relationship to the vendor for planning your TPRM program, consider the following types of relationships:
- Infrastructure only – This is a limited relationship with the vendor providing only hardware, servers, drives and storage.
- Managed applications – This type of relationship extends into maintenance and management of the data and is focused on the software side of things.
- All data – With an all data relationship, your third-party vendor is heavily involved with both the hardware and software aspects and may include disaster recovery and backups, as well.
TPRM Process Managing: Security Best Practices
One of the best ways to know you are protected is to automate your TPRM process. Not only will this help insulate you from extensive risk but also provide a standard for all new vendors that you partner with in the future. It will also help you save money as you employ new technologies so you don’t have to do things manually. Be sure to use continuous monitoring and not point-in-time for a more accurate security assessment. You should also use independent evaluation services for third-party risk assessments. You are too close to the vendor to gain insight and an unbiased opinion of the risk factor. By hiring an independent contractor to assess the risk, you get a more accurate picture of where you stand and how viable your security is. Often outsiders can see the bigger picture because they are not involved in the day-to-day activities. Another good reason to use outside sources is that they are experts and will have tools and knowledge your business may lack. Along with monitoring and assessing, you also need a plan for onboarding new vendors. Some of the things you will want to ensure are that you profile new vendors before hiring them.
Develop a monitoring system for after they begin work. Formulate a disaster recovery plan and have them walk you through their process for remediation. Before hiring anyone, be sure to have accurate information on their credit, customer reviews, support policies and company history including any lawsuits or other legal issues. Ask for detailed information about their security practices and disaster recovery plans.
Ensure you are protected legally by detailing everything in the vendor contract. Make sure you clearly outline the service they are providing, the terms of the agreement, any confidentiality you need and contingencies – include some language for flexibility if changes are needed down the road. It’s always a best practice to have new vendors sign NDAs for confidentiality and protection of your customers and corporate assets.
What Security Tools Are Available
When it comes to securing business data, you cannot be too careful or spend too much money. In large companies with multiple departments, the job of risk assessment of third-party vendors can be daunting. Luckily, there are tools available to automate the process to make life easier securing your business data. The software options available have built-in tools that assess third-party vendor risk, oversee and manage contractors onboard new ones efficiently and easily handle terminations. Some products even offer continuous monitoring and integration with your current systems. Regardless of the tool you use, it must meet your company needs and satisfy compliance issues to keep your customer and corporate data safe.
About the Author: Ben is a Digital Overlord and Chief Security Officer at InfoTracer who takes a wide view from the whole system. He authors guides on entire security posture, both physical and cyber. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Zero Trust and the Seven Tenets
Understand the principles of Zero Trust in cybersecurity with Tripwire's detailed guide. Ideal for both newcomers and seasoned professionals, this resource provides a practical pathway to implementing Zero Trust, enhancing your organization's security posture in the ever-evolving digital landscape.
