As if managing your own risk profile isn’t challenging enough today, your organization must concern itself with how every one of your suppliers and vendors addresses risk. That’s right—your business is responsible for the risk-related action or inaction of everyone in your service and supply-chain network. Sounds daunting, right? How concerned should your organization be about the dangers of third-party risk today? In short—very concerned.
Imagine doing business with a reputable credit card processing vendor who you have trusted for years with your customers’ sensitive personal information. To your knowledge, they take data protection seriously and use the latest tools and security best practices to safeguard customers’ point-of-sale information. However, in a cost-cutting measure, this vendor chose not to renew critical security software.
This poor decision created numerous vulnerabilities that hackers quickly exploited, stealing your trusting customers’ credit card information. Ouch. Your business now shares the financial, legal, and reputational sting of this vendor’s security and compliance gaffe.
Third-party risk should be a top-of-mind concern for all businesses today—from global giants to two-person startups. If your business engages supply-chain partners or outsources anything, third-party risk should be on your radar. Charles Denyer, a noted expert in National Security and Cybersecurity, stresses the significance of third-party risk today, “In my opinion, it’s the biggest risk facing organizations right now. Most businesses simply don’t have the capacity to do their due diligence on third parties, and it only takes one bad apple in the supply chain to create huge risks.”
This article will explore the dangers of third-party risk and provide a list of critical risk-related questions businesses should use to vet all vendors and members of their supply-chain network.
5 Essential Steps To Creating an Effective Third-Party Risk Management Program
Third-party risk is the likelihood that your organization will experience an adverse event (e.g., data breach, operational disruption, reputational damage) when you choose to outsource certain services or use software built by third parties to accomplish certain tasks. Third parties include any separate business or individual providing software, physical goods, or supplies or services. Third parties include software vendors, suppliers, staffing agencies, consultants, and contractors.
Relying on third parties for your business’ successful operation is intrinsically risky. After all, you must trust a separate entity over whose business practices and processes you have no control.
6 Types of Risks to Watch Out For When Working With Third-Party Vendors
Third-party risk typically exists in one of the six following areas:
Third parties are often the favored vector for cyber attacks today. Attackers infiltrate supply-chain links, silently infecting their systems and devices. The attacker then uses the third party as a “platform” to launch attacks on higher-value targets.
This type of risk is often created by a third-party security control failure resulting in data loss, which in turn results in a data privacy violation which leaves the principal enterprise open to liability and punishment. This type of risk is a significant concern for modern enterprises, as 80% of data breaches now originate with a third party. Third-party environmental or labor law infractions can also contribute to regulatory/compliance risk.
Financial risk involves a third-party action damaging the financial standing of an organization. This damage can come in the form of substandard vendor work or a defective component that slows business and reduces revenue. Economic damage can also be in the form of fines or legal fees.
Operational risk is created by the possibility of a third-party action that causes an operational shutdown. A vendor falling victim to a network hack or natural disaster could cause a system lockdown and temporarily disrupt business operations.
Reputational risk is created by negative public opinion originating from publicized security breaches, legal violations, or poor customer interactions. Reputational risk can be realized when you work with a third party that has poor labor practices or treats its workers unfairly.
Strategic risk involves the problems created when third-party and organizational business strategies aren’t in alignment. This risk often results from poor business decisions made by a third party.
Some third-party risks can affect businesses in multiple ways. Data breaches are an example of a dangerous risk overlapping multiple risk categories—they disrupt operations, present a regulatory threat, and can cause financial and reputational damage.
Behaviors That Increase Third-Party Risk
Third-party risk is boosted by numerous factors, many of which enterprises can control. Businesses are currently outsourcing at an unprecedented rate, with 66% of larger enterprises (more than 50 employees) and 29% of smaller enterprises (less than 50 employees) sending their work outside. History tells us outsourcing the bulk of your workforce increases exposure to all types of third-party risk.
By failing to vet vendors thoroughly, organizations significantly open themselves up to third-party risk. It falls on every business to conduct proper due diligence before onboarding any vendor. Keep in mind that due diligence must become a continuing process over the life of a vendor contract.
Every vendor should be extensively researched regarding their business policies, reputation in the industry, and adherence to regulatory requirements. Hiring organizations must dig deep on issues of compliance. What regulations currently exist in the vendor’s industry? Does the vendor have any previous warnings or violations? Do they have any third-party auditor validation to prove their compliance status?
Unfortunately, most companies today aren’t doing enough to ensure their vendors meet acceptable risk control standards, especially security. Organizations failing to confirm acceptable security levels are suffering significant regulatory, financial, and reputational hits.
Take the network management company SolarWinds for example. Hackers breached their security control system, inserting malware into the Orion IT monitoring platform that remained undiscovered for months. Exploiting this third-party vendor’s weak defenses allowed attackers to access sensitive information belonging to high-profile SolarWinds clients’ customers.
Other lax software and security practices can contribute to an increase in your organization’s third-party risk. When developers use open-source software (OSS), they may unintentionally introduce exploitable vulnerabilities into source code. These vulnerabilities go unnoticed until the third-party vendor is hacked and used as a platform for launching attacks on more high-profile targets.
Many companies unwisely choose to run software without performing due diligence on security controls, which often are out of date. Do your business a favor and double-check that you and your vendors employ the latest, most secure software version.
Finally, failure to locate and patch vulnerabilities promptly can weaken security posture and boost associated third-party risk. This is where an in-depth examination of a vendor’s security practices during due diligence can prove invaluable when looking to minimize third-party risk. For a more comprehensive list of risks, you need to consider when using SaaS providers, check out this article.
Risks You Need to Consider When Using SaaS Providers
What is Third-Party Risk Management?
Third-party risk management is an organizational discipline around analyzing and controlling the risks associated with working with vendors and 3rd party service providers. Third-party risk management is really about having strong governance over your vendor network and maintaining rigorous processes over vendor selection, onboarding, performance monitoring, and offboarding.
If you want to maintain strong governance over your vendors, you’ll need to take the steps below:
- Understand the risks associated with outsourcing various tasks and services to third-party providers
- Categorize your vendors and the assets you want to protect; know who your critical vendors are
- Create a vendor due diligence process for your organization based on your internal vendor risk appetite
- Define the critical security, privacy, and business continuity controls vendors should have in place before they’re permitted to work with your organization
- Assess vendors’ risk levels before onboarding them, by sending vendors questionnaires and/or using publicly available data sources such as security ratings (we’ll show you in a later section on questions you should be asking your vendors during the pre-contract due diligence process)
- Only onboard vendors after your risk management team have reviewed a vendor’s risk assessment results and determined that the risks they pose to your organization is within an acceptable threshold
- Mitigate select vendor risks by taking additional steps, such as by putting a contract in place in which the vendor details how they will address the risks you’re worried about
- Monitor and audit vendors on an ongoing basis
- Ensure that proper risk management procedures are taking place during vendor offboarding
To learn more about how to manage third-party risk effectively, download our ebook “5 Essential Steps to Creating an Effective Third-Party Risk Management Program”
Why is Third-Party Risk Management Important?
According to Prevalent’s 2021 Vendor Risk Management Study, 50% of surveyed organizations experienced a supply chain disruption, a third-party data breach, or another third-party induced compliance violation in 2021.
At this point, threats to your business and to your customers’ data can come in many forms. For instance, threats to customer data can come from a vendor whose IT team forgot to apply the latest patches to their own software, or from rogue insiders who abuse their inside knowledge for personal gain (e.g., trading on confidential information about your business).
In 2021, we saw a number of high-profile cybersecurity incidents that demonstrated to our government and private sector firms that organizations in the U.S. are facing increasingly malicious cyber activity. Third-party software (e.g. SolarWinds, Kaseya) was often used as the gateway for malicious actors to be able to reach a much wider number of targets. Further, natural disasters or financial failure can shut down an unprepared vendor, leaving your organization in a vulnerable position where you’re not able to deliver a mission-critical service to your customers.
You can avoid such unfortunate outcomes by taking the time to understand the risks each potential vendor poses and only work with those who have responsible security safeguards, business continuity plans, and disaster recovery plans in place.
Questions To Ask Your Vendors to Understand their Risk Profiles
Properly vetting your vendors requires asking the right questions, and Charles Denyer believes this begins with an introspective look at your own organization’s stance on risk management. “I tell organizations to look in the mirror and ask what they would do for their organization to manage risk better, then ask their vendors these same questions.
If they can’t answer these questions in the way you need them answered, then you could potentially have a significant risk issue in your supply chain, and they are a vendor you shouldn’t be doing business with.”
We compiled a list of essential questions any business can use to understand a vendor’s risk profile better. Consider asking the following questions when vetting a third-party vendor:
- What type of policies, procedures, and processes do you have in place to secure data and follow compliance regulations? Do you follow the best practices for all infosec domains, including robust risk assessment, access management, data privacy, encryption, and incident response programs?
- For cloud service providers or SaaS: Is your security architecture designed using the highest industry standards like FedRAMP?
- Do you test your security systems with both internal and accredited external audits?
- Do you have any regulatory compliance verification, such as a SOC report or a PCI Level-1 certification?
- Can you disclose with which regulatory standards your organization complies?
- Can you provide evidence of due diligence mapping of your existing controls, architecture, and processes to these regulatory standards?
- Do you have agreements in place with your supply chain holding them to your exact security and privacy standards? Can you provide documentation of these agreements?
- Does your organization have a disaster recovery and business continuity plan in place?
- Do you have multiple providers or other fail-safes for each service you rely on to maintain operations?
- If using on-premise infrastructure, do you have adequate physical security controls in place to protect all media and information systems?
- If using virtual infrastructure, does your cloud provider have sufficient security mechanisms in place, including individual hardware restoration and recovery capabilities?
- Upon termination of our business contract, do you have appropriate policies and procedures in place to ensure the safe return of all organization-owned assets and data?
To learn more about how to assess your software vendors and the types of questions you should ask them, check out this article: Defending Against Software Supply Chain Attacks: Recommendations From NIST.
Hyperproof’s Vendor Risk Management Solution
Managing third-party risk is both extremely important and challenging for businesses today. The third-party risk appears poised to grow as more enterprises continue to outsource more and more of their business functions. Organizations today have a pressing need to improve their third-party risk management capabilities.
For organizations ready to take the lead in controlling third-party risk, they can make their lives easier by using Hyperproof’s Vendor Risk Management solution. This software will help users track and manage their vendors, and create, send, and review risk assessment questionnaires to accurately identify vendor risk. Vendors can respond directly to the questions without having to log into Hyperproof.
Risk managers and security professionals can efficiently coordinate remediation tasks with vendors on the platform.
Learn more about Hyperproof’s Vendor Risk Management software: https://hyperproof.io/vendor-risk-management-software/