According to a recent study by SecureLink and Ponemon Institute, 51% of organizations have experienced a data breach caused by a third-party. Despite the growing risk third parties pose however, many companies are still not making securing these relationships a priority. The key to effectively mitigating your third-party risk is making it a continuous process, with key controls and clear ownership for third-party relationships within your organization.
Conduct an Initial Audit of the Third Party
When your organization is searching for a vendor to fulfill a need, are your key decision-makers considering the potential vendor’s security as a factor in their decision? If they are, it is likely they’re going on reputation alone, but neither reputation, nor relying simply on contractual protections is enough.
Yes, you should ensure during the contract signing that security expectations are set, and penalties are put in place for failure to comply with security expectations. You want to mitigate your organization’s liability in the event a breach does occur. It is a good idea to investigate the insurance policies of the vendor as well, but you also need to conduct an overall assessment of the security practices of the third-party. Conducting a risk assessment using a questionnaire that utilizes established security standards will help you understand the level of risk the third-party is bringing to your organization. In addition to helping to understand the levels of risk, an assessment will help you understand the vendor’s processes in the event of a breach. Who will it be reported to? Will you be notified? This type of information is critical in developing your own incident response plan for a breach due to a third-party.
Consider the context of the vendor relationship as well. Is this a vendor that will have an inherent risk based on the nature of the services they are providing or the data they’re coming in contact with? Conducting a thorough audit, using measurable standards, will help you prioritize your third-party risks, which is crucial for effective third-party risk mitigation, particularly for small organizations with limited resources.
Ongoing Monitoring
Once the contract is signed and the initial assessment is complete, continue to monitor whether the third-party is complying with any contractual security obligations and they are meeting regulatory requirements for data protection.
Create an inventory of all the third parties with access to your network. This inventory should include which parties have access to your organization’s most sensitive data, and what users within those third parties, or the contractors of those third parties, have this access. You should be limiting the level of network access to just that needed by the vendor with a zero-trust policy that allows you to provide only the access needed for the vendor to fulfill their purpose. Providing too much-unneeded access leaves your organization unnecessarily vulnerable. Establishing an identity and access management process is critical to understanding your attack surface and prioritizing monitoring. Often where organizations run into trouble is not having the capabilities to limit this network access or audit network activity to identify suspicious behavior.
Collaboration
Another limitation putting organizations at risk is simply lacking someone specified to manage these vendor relationships and network access. Different stakeholders within your organization may be managing these various relationships, which can make it difficult to have a comprehensive inventory. There needs to be collaboration internally to determine who is responsible for third-party risk management. There also needs to be collaboration between your team and your counterparts at your third-party vendors, which is easier with a defined point of contact, particularly for tasks such as the security assessment, which can often be a bit of a back and forth.
Ultimately, third-party risk management can feel like a moving target, but making it an ongoing process, as opposed to an assessment done once, or worse, never done at all, is crucial for protecting your organization from one of the leading sources of data compromise.
Learn more about third-party risk management with on-demand webinars available exclusively to RH-ISAC members on Member Exchange. Not a member? Learn more about how your company could benefit!