Third-party risks continue to be a serious cybersecurity threat, so properly assessing a third-party is paramount to any risk management strategy. According to Gartner, 71% of organizations reported their network contains more third-parties than it did three years before. This number is expected to grow even larger in the next few years.
With cloud-based services and the Internet of Things increasing cybersecurity risks nearly as much as they open new doors for business operation, it has become imperative to create and maintain formal programs for third-party risk management in order to avoid being compromised. In this blog, we offer a practical approach to start the due diligence process.
Understanding the risk
Implementing new technologies and relying on more third-party solutions and services is a must for any company that aims to keep up with the ever-evolving world. Partnerships offer the opportunity for greater agility, exceptional customer experiences and profitable growth.
According to Gartner, 60% of organizations are now working with more than 1,000 third-parties.
That said, these technologies need to be secured and properly evaluated before fully entering the process and data ecosystem of an organization. They will likely have access to sensitive data about technology, finances, inventory, shipping, licensing, media & advertising, recruiting, payroll, sales partners & distributors, among many other things.
What’s more, in an ideal scenario, there should be a third-party risk assessment both before and after the adoption of new technologies. It’s only natural that business relationships evolve as time goes by. There can be changes in scope, goals, strategy, and staff over the course of a relationship with a third-party. This means the assessment is not over after the initial due diligence process; in fact, organizations need to implement ongoing monitoring strategies.
For starters, let’s take a look at 7 useful questions to ask during the assessment.
A practical approach: 7 questions to ask when Assessing a Third-Party
- Does the third-party regularly check user privileges, and are these based on the principle of least privilege?
- Does the third-part have an updated information security program in place, with documented policies and procedures?
- Are their employees trained on basic security best practices to deflect social engineering attacks, avoid phishing and scams?
- What is their notification process when your data is shared with other parties?
- Do they employ mechanisms to control access to areas containing sensitive information assets?
- Do they have an incident response plan?
- Are they willing to enact cybersecurity requirements through a formal agreement?
Now, these won’t cover the entire spectrum of third-party risk management, but this is a great starting point that will allow a company to make an informed decision when assessing a third-party.
Performing a deeper third-party assessment is not as hard as it sounds anyway, as there are tools and new approaches to simplify the process. For example, our ThirdPartyTrust platform leverages the work of industry peers who have already reviewed common third-parties, automating data gathering and, as stated above, implementing ongoing monitoring strategies for periodic recertification.
Another thing to consider is accountability, as it can be hard to determine when there’s no people or department in charge of managing third-party risk. Sometimes it’s not even a matter of not having a designated resource, but a matter of compliance officers having too much on their plates – with responsibilities extending beyond their own companies and into the increasing map of service providers and supply chain partners.
Putting cybersecurity first
Companies are realizing cybersecurity is a top-tier issue. Gartner research revealed that compliance programs are focused on third-party risk more than ever before: more than twice the number of compliance leaders considered it a top risk in 2019 than three years before.
Nevertheless, there is still a gap in how and to what extent it is approached in practice. One thing is to understand the implications of a data breach or cyberattack, and another is to be aware of the actual vulnerabilities that need to be addressed.
No industry is exempt from the attention of cyber security risks. As the threat landscape constantly evolves, so does third-party risk, with networks becoming larger and more complex. The time to check defenses is now, not later!
If you are interested in learning more about our third-party risk platform please click here.