When you outsource to a third party vendor, your company’s sensitive data runs the risk of being exposed daily. Third party breaches can result in significant financial consequences, lost data and productivity, reputational damage, compliance violations, fines, and other legal liabilities. A recent survey by Anchore, a security vendor, found that in the past 12 months, 64% of businesses were affected by a supply chain attack.
Cybercriminals can leverage the supply chain in several ways, including compromising third party software updates, stealing log-in credentials from third parties, or injecting malicious code into vulnerable systems. A comprehensive third party cyber risk management (TPCRM) program is essential to not only mitigate risks but to also onboard, manage, and maintain third party vendors effectively and securely. Follow these five steps to create a TPCRM framework to protect your organization and customers.
1. Identify all of your third party vendors
First, you should create an inventory or central repository of all your third party vendors. Start with those that provide critical supplies for your business, and then move on to smaller vendors that offer support services. Every vendor used by every department needs to be accounted for — just one, no matter its size, is all it takes to put the entire organization at risk.
2. Determine risk potential for each vendor
Each vendor presents a different level of risk. For example, vendors that provide critical services usually have access to sensitive information and pose a larger threat to your organization. Create a scoping questionnaire to be completed by the employee who owns the vendor relationship that outlines the service offered, the location and level of data being accessed, stored, or processed, and any related factors. Then, you can determine what type of security assessment you need for each vendor.
3. Address risks by priority
Assign a risk rating to vendors based on their threat level to your business. The guidelines for developing a risk rating include:
- High Risk – Deploy corrective measures immediately
- Medium Risk – Deploy corrective measures within a set period
- Low Risk – Accept the risk or create a longer-term mitigation plan
Once you’ve completed the assessment, senior management can decide how to respond to each vendor individually. Implementing controls such as encryption, multi-factor authentication (MFA), and endpoint detection and response can help boost your protection against all types of threats.
It’s important to address these risks by mentioning controls and breach notification requirements in your contracts with the vendor. They should understand your cyber security expectations clearly and act accordingly.
4. Ensure vendors provide adequate training to their agents
Ensure your vendor’s employees, contractors, and even their vendors are prepared to protect your data through adequate training. Training for these groups and documented and enforced access management is critical to data protection. Confidentiality agreements, security awareness training, management of vendors, and access management are just a few of the ways to make sure that anyone with access to your data has the correct training.
5. Monitor third party risks periodically
Third party risk is continuously evolving due to service changes or scaling your business, as well as the supplier’s financial health, market conditions, or ability to deliver. Regular monitoring is necessary to keep risks in check, meet regulatory compliance requirements, protect customer information, and maintain the overall health of your organization. Risks should be monitored throughout the entire vendor lifecycle — from onboarding to offboarding. Remember, your TPCRM program is a cornerstone of a strong security foundation.
IT Risk Assessments in NJ & FL
Mindcore performs a wide range of IT risk assessments for companies in New Jersey and Florida to identify weaknesses and vulnerabilities in your assets, creating a risk profile for each one. Our cyber security specialists will create a customized security plan to reduce the likelihood of threats occurring and enforce appropriate controls for detected risks. Contact us to learn more about our cyber security services or schedule a consultation today!