A third-party vendor is any entity that your organization does business with.
This includes suppliers, manufacturers, service providers, business partners, affiliates, brokers, distributors, resellers and agents.
Vendors can be upstream (suppliers and vendors) and downstream (distributors and resellers), as well as non-contractual entities.
It is no longer enough to solely focus on your internal cybersecurity. Due diligence and cybersecurity risk assessments must be used prior to onboarding new vendors.
Information risk management means looking beyond your organization’s walls to third and fourth-party vendors who have access to your sensitive data.
Table of contents
- What risks do third-party vendors bring?
- Do I need to worry about vendors who don’t work on critical business activities?
- What are examples of third-parties?
- What is vendor risk management?
- Is my business liable for third-party breaches?
- What are fourth-party vendors?
- How can I get information about my fourth-party vendors?
- How UpGuard can help you monitor your third-party and fourth-party vendors
1. What risks do third-party vendors bring?
Third-party vendors, partners, contractors and consultants can bring needed expertise and services to your organization, but can often have access to internal systems and sensitive data. This means they can steal company data, change system configurations or sabotage critical infrastructure.
Even with no malicious intent, poor third-party vendor security represents a large security risk.
This is why governments around the world have introduced strict regulatory requirements that require a form of vendor risk management to ensure sensitive data and personally identifiable information (PII)is transferred, stored and processed in a way that protects information security.
Financial institutions, e.g. APRA CPS 234, and healthcare organizations, e.g. HIPAA, come under particular regulatory scrutiny.
2. Do I need to worry about vendors who don’t work on critical business activities?
Yes, third-parties who don’t conduct critical business activities can still represent significant third-party vendor risk. In some cases, cleaners can represent a larger third-party risk than a typical Software-as-a-Service provider.
This is because the cleaner may have access to the CEO’s computer that stores information that could be the target of corporate espionage.
The key takeaway is to understand your organization’s security standards are only as good as your weakest third-party vendor’s security practices.
For example, the 2013 Target data breach began with a single store’s HVAC provider installing malware.
Every vendor is a possible attack vector that cyber criminals can use to launch cyber attacks.
3. What are examples of third-parties?
Recall that a third-party vendor is anyone who provides a product or service to your organization including:
- Manufacturers and suppliers (everything from PCBs to groceries)
- Services providers, including cleaners, paper shredding, consultants and advisors
- Short and long-term contractors. It’s important you need to manage short and long-term contractors to the same standard and assess the information that they have access to.
- Any external staff. It’s important to understand that understanding of cyber risk can be widely different depending on the external staff.
- Contracts of any length can pose a risk to your organization and the Internal Revenue Service (IRS) has regulations about vendor and third-party relationships that go beyond specific time frames so even the length of a contract can pose risk. In the IRS’s eyes, a vendor working onsite with a company email address for longer than a specific period of time should be classified as employees and receive benefits.
4. What is vendor risk management?
Vendor risk management(VRM) or third-party management deals with the management and monitoring of risks resulting from third-party vendors and suppliers.
VRM programs are concerned with ensuring third-party products, IT vendors and service providers do not damage business continuity, data security or expose sensitive information like credit card numbers or personally identifiable information (PII).
The demand and need for vendor risk management has grown in recent years due to the introduction of laws like the EU General Data Protection Regulation (GDPR), as well as the fact organizations are entrusting more of their business processes to third-parties.
Vendor security must be a key part of your overall cybersecurity strategy.
It’s not enough to focus on service-level agreements (SLAs) and disaster recovery in your third-party risk management program. You need real-time, ongoing monitoring to be a part of your third-party vendor management program.
Your information security policy needs to focus on both first and third-party security to minimize total cyber risk. Spend some time creating a third-party risk management framework and operationalizing it. Consider investing in automating vendor risk management.
5. Is my business liable for third-party breaches?
It depends on your industry.In the United States, the Office of the Comptroller of the Currency (OCC) wrote in its risk management guidance:
A bank’s use of third parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner and in compliance with applicable laws.
Along with the OCC, the Federal Reserve System (FRS) and the Federal Deposit Insurance Corporation (FDIC) have statutory authority to supervise third-party service providers in contractual agreements with regulated financial institutions.
The Supervision of Technology Service Providers booklet from FFIEC, highlights the use of third-party providers “ does not diminish the responsibility of the…board of directors and management to ensure that activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations, just as if the institutions were to perform the activities in-house.”
6. What are fourth-party vendors?
You need to understand four things about your fourth-party vendors:
- Who they are
- What products and services they provide to your vendor
- What level of due diligence your vendor has done on their vendors
- Their cybersecurity rating
7. How can I get information about my fourth-party vendors?
Ask your third-party vendors to provide you with:
Best in class organizations who want to minimize third-party risk and fourth-party risk are continuously monitoring and scoring third-party and fourth-party vendors and sending security questionnaires over the lifecycle of the vendor relationship.
8. How UpGuard can help you monitor your third-party and fourth-party vendors
Cybersecurity is more important than ever before.
That’s why companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar and NASA use UpGuard to protect their data, prevent data breaches, monitor for vulnerabilities and avoid malware.
We’re experts in data breaches, our data breach research has been featured in the New York Times, Bloomberg, Washington Post, Forbes, Reuters and Techcrunch.
UpGuard Vendor Risk can minimize the amount of time your organization spends managing third-party relationships by automating vendor questionnaires and continuously monitoring your vendors’ security posture over time while benchmarking them against their industry.
Each vendor is rated against 50+ criteria such as presence of SSL and DNSSEC, as well as risk of domain hijacking, man-in-the-middle attacks and email spoofing for phishing.
UpGuard BreachSight can help combat typosquatting, prevent data breaches and data leaks, avoiding regulatory fines and protecting your customer’s trust through cyber security ratings and continuous exposure detection.
Originally published at https://www.upguard.com.
