How to Conduct Better Third-Party Risk Assessments

This post first appeared on Risk Management Monitor. Read the original article.

Today’s enterprises operate in a complex digital ecosystem that connects customers, vendors and partners and through which data is shared and transactions are processed. Because much of this is done through outsourcing of systems and services to third parties, many enterprises have dramatically increased the scale and complexity of their risk surface.

While companies are reliant on third and fourth parties to do business and often benefit from using such external services, these relationships also pose a risk to the enterprise’s sensitive data. Enterprises rely on these third parties to fulfill essential services and often expect them to secure the enterprise’s data in the process. Unfortunately, this does not always happen. 

According to a survey by RiskRecon, a Mastercard company, and the Cyentia Institute, third-party risk practitioners said that 31% of their vendors could cause a critical impact to their organization if breached, while 25% claimed that half of their entire network could trigger severe impacts.

Recent catastrophic cybersecurity incidents like the SolarWinds case demonstrate that cyberrisk can come from supply chain layers beyond the company’s immediate third parties. These multi-party cyber breaches create a ripple effect and threaten to have a far greater impact than those affecting single companies.

Business leaders, third-party risk practitioners, and cybersecurity professionals are well aware of the potential impacts of third-party risk, yet many struggle to keep up. In fact, research shows that only 14% of third-party risk professionals are confident that vendors are capable of meeting third-party security requirements. Managing vendor risk can seem like an impossible problem, but the key is having greater visibility into your digital supply chain and monitoring the external parties that pose the greatest risks to your firm.

Traditional Risk Assessments vs. Continuous Third-Party Monitoring

Traditional risk assessment processes cannot fully address today’s dynamic cyberrisk landscape, as they can be difficult to validate, take a long time for both the vendor and the organization to process, and are pinned to a single point in time. Without a valid, current assessment, security teams are forced to prioritize vulnerabilities blindly, which ultimately compromises risk mitigation, and limits their value as an accurate barometer of third-party risk.

It can be easy and tempting to complete a third-party risk assessment in one month and then forget about it for another year, but third-party risk management is not a once-a-year project—it requires an ongoing program with ongoing monitoring. This may appear to be overwhelming, confusing and time-consuming. While there will always be more vendors to find, a well-structured and continuous third-party monitoring program can help your security team to prioritize.

It is also important to take action on the vulnerabilities these critical vendors produce and gain visibility into how to remediate these issues. Continuous third-party monitoring can not only help you identify and remediate risk, but can also serve as a helpful tool in communicating your organization’s security hygiene to board members or executive leadership.

Below are practical steps that cybersecurity teams and risk professionals can take to better manage their organization’s third-party cyberrisk:

  1. Ask the right questions: Build and collect security questionnaires that ask important questions about how a vendor is handling the company’s data. To better manage risk, security teams need insight into the technologies that are being used internally and externally by third parties, fourth parties, and beyond. 
  2. Assign a risk rating: Based on the answers to the questionnaires, assign the vendor a risk rating. By having a clear understanding of a vendor’s security posture, the security team can then rank vulnerabilities in order of priority, so they know which issues to tackle first.
  3. Take action: Create custom-fitted risk action plans so you can immediately start engaging with your vendors on remediation. If a vendor’s cyber risk degrades or an element falls out of policy, you will be notified instantly. By having accurate visibility into supply chain risk, security teams can then use that information to make decisions about whom to share data with moving forward.

By utilizing these best practices, organizations can better manage their third-party risk, further reduce overall risk, increase cyber visibility, and improve the quality of vendor and supplier networks.

Leave a Reply

Your email address will not be published. Required fields are marked *