From suppliers and outsourcers, to service providers and distributors, a third-party breach can occur at any point along your supply chain. As attackers continue to look for ways to infiltrate companies through their partners and the third-party ecosystem continues to grow, so does this risk – last year, 59% of companies experienced a third-party data breach. And it’s not just small businesses that are at risk either, even high-profile, international businesses can fall victim of a third-party breach. In 2019, for example, both a US intelligence agency and a large social media company suffered breaches in which confidential information was exposed on publicly-accessible sites run by partners. The problem is, as companies work with a growing number of third parties, they do not always have the resources and processes in place to fully understand and mitigate the risks partners introduce.
Furthermore, the pandemic has meant that IT teams are being spread increasingly thin, so there’s even more potential for third-party risks to go unnoticed until it’s too late. But while third parties represent a clear digital risk, they are an equally crucial support network for businesses, especially during times of disruption. This begs the question: at a time when IT resources are already stretched, how can IT and security teams support the business in its use of third parties while managing the risks they create?
By following these three steps, effectively managing third-party risk – even during times of disruption – doesn’t need to be complicated:
#1: Start new partnerships on a strong foundation
When working with any new third party, organisations must prioritise risk management. This means carrying out a thorough assessment and audit of new providers, including background checks to better understand the potential weaknesses that attackers may take advantage of. When considering whether to bring a new provider on board, companies must ensure that these third parties have sufficient measures in place to perform to expectations on an ongoing basis.
After a risk assessment has been carried out, organisations must ensure that a risk strategy is built into all service-level agreements and constantly monitor their third-party partners for new risks that may arise, including further down the supply chain. This includes monitoring the third-party’s performance metrics and internal control environment and collecting any relevant supporting documentation on an ongoing basis. In doing so, such information can inform risk strategy across the business and help companies identify issues before they arise. By monitoring these relationships on an ongoing basis, IT teams have wider visibility into the risk landscape and can minimise the likelihood of issues down the line.
#2: Protect your data by sharing only what you need to
Protecting data isn’t easy when it’s constantly shared across vast third-party ecosystems. One of the most significant third-party risks is a lack of visibility into how data is used and with whom its shared because of privacy implications. It is essential that businesses ensure external parties are who they claim to be, can only access what systems and data they have the right to access, that their credentials have not been compromised, and that data is deleted once it’s no longer needed. When assessing how much system access to grant, businesses should make sure that third parties’ security protocols align with their own, whether they’re working with a partner that requires customer data or a systems integrator needing direct access to internal systems. By having a sound understanding of these protocols, it’s easier to decide how much trust to place in each provider.
Furthermore, with increased privacy regulations, like the GDPR, introducing the possibility of regulatory fines and breach-related expenses, it’s now more important than ever for organisations to start having meaningful conversations around compliance, privacy and data, especially if it involves third parties. Organisations must implement secure authentication solutions to not only protect vital resources, but to safeguard customer trust and reputation. Only when businesses have explicit consent from customers in all instances, can they share their data with third parties and, even then, they must only share what is necessary.
#3: Check your internal processes are up to the task
If a large number of third parties are used by the company, it can be hard for IT teams to keep track. Third-party relationships are often managed in silos across different areas of the business, each of which may have a unique way of identifying and managing them. This makes it increasingly difficult for management teams to get an accurate overview of third-party risk and performance across the business. However, by having a central database of all third-party relationships, stakeholders will be able to quickly identify to such information as the individual accountable for each relationship, any outdated contracts, and any changes needed to contract terms. As a result, they have greater visibility into the third-party ecosystem across the business and can therefore mitigate the risk of a third-party slipping through the cracks.
To ease the load on IT teams, organisations must also educate that risk not only affects IT but also security, and governance, risk and compliance teams. In doing so, they can work towards a more consolidated approach to managing both the business and IT risks associated with third parties, safeguarding the business.
Getting on the front foot
It’s more important than ever for businesses to foster and maintain third-party relationships in a way that is both secure and compliant. In times of disruption, IT teams can find their attention diverted elsewhere, creating a window of opportunity for attackers. However, while third-party relationships are a necessity for organisations today, the digital risks they create don’t have to be. By taking a programmatic approach to identifying, categorising, assessing, and monitoring third-party risk, IT teams can simplify the risk management process and remain secure.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.