The most dangerous punch in boxing is the one you don’t see. The same is true in cybersecurity.
Businesses focus on protecting their digital assets with a mix of threat detection, monitoring, and access controls. But a problem quickly arises — not all of their data is within the virtual walls of their network.
Cyber resilience in this milieu requires more than knowing how well your business can withstand a cyberattack directly on your network. It also includes having insight into your ecosystem of partners and how they handle security. Whether they are payroll processors, suppliers, or some other type of vendor processing or storing your data, third parties add an additional layer to an enterprise’s attack surface and represent a potential weak point for a company’s regulatory compliance requirements or cybersecurity programs.
The bottom line is that downtime for them may mean downtime for you, so successfully managing third-party vendor relationships — from onboarding to incident response — is critical to facilitating business continuity. “Proactive third-party risk management (TPRM) enables organizations to put effective safeguards in place to strengthen resilience against incidents that will disrupt the business,” says Christelle Chau, Vice President, Security GRC at Okta.
Below, we’ve outlined three critical actions security leaders should take to safeguard data and systems from third-party risk and potential disruptions.
1. Evaluate your partners based on business criticality and their potential for harm
The sheer number of vendor relationships that have to be managed can be daunting. After establishing the goals of their TPRM program, the first step is for companies to inventory their partner ecosystem, Chau says.
“The continued reliance on third parties requires deeper due diligence due to the risks and uncertainties they can potentially bring,” explains Chau.
Unfortunately, Chau says, third-party risk processes are often antiquated and focused on the onboarding stage. Organizations need to move away from a checklist approach and employ innovative ways to contextualize their assessment approach.
At Okta, the information gathered from third parties enables the company to evaluate the protections and controls being used. According to Chau, potential security gaps can be identified, and Okta can work with the partner to help remediate them.
Ken Collins, Senior Director of Information Security at Sunbelt Rentals, says his team conducts thorough assessments of third-party vendors, with the tightest focus going to the ones deemed mission-critical.
“We collect as much relevant data as we can — security policies, SOC reports, any compliance or security certifications, and so on — and make sure it meets our standards,” he says. “We use that information to determine the risk rating of each vendor, and if it’s acceptable, we move forward. We also reassess that vendor periodically depending on their risk profile.”
Not all third parties bring the same level of risk; therefore, they should be classified and categorized with different severity levels based on the type of products/services they provide to the organization, their access to data and the network, and the business impact of a security incident, Chau explains.
The identity and access management piece of this is critical. The same identity fabric protecting an organization’s employees has to be woven around any third parties that access the organization’s systems and data. That means applying the appropriate monitoring, provisioning, and deprovisioning of these entities according to policy, Chau says.
2. Prioritize open communication with partners
It’s important to remember, Collins says, that these relationships are bidirectional. Maintaining good communication with partners is a must so that, in the event of an incident, affected organizations can quickly take steps to mitigate risks.
“Strong communication is important — not just during the onboarding process, but in general,” Collins says. “When something is wrong, we need to trust that our partner will let us know as quickly as possible so we can respond and take remedial action.”
In the event of a third-party incident, organizations should establish an open communication path with the third party to gather the root cause of the incident and identify impacted systems/assets and contractual notifications, Chau says. “From there,” she continues, “they should perform an impact analysis based on the data, systems, and products that are affected and their potential impact on the business.”
3. Develop a robust incident response plan for third-party breaches
After determining if the incident is adequately contained, organizations should identify remediation activities such as disconnecting the use of third-party products and deploying alternative solutions, and determine the need for external communication based on the notification requirements of regulations and data breach laws, Chau says.
After an incident, organizations should perform a root cause analysis, a new third-party risk assessment, and performance monitoring. Additionally, internal stakeholders should consider making any necessary adjustments within SLAs and contracts, Chau says.
“True security extends beyond an organization’s walls,” Chau says. “True resiliency has to involve maintaining an ongoing awareness of the risk posed by third-party vendors and being prepared to respond before an incident takes place.”
Checklist: Strategic Priorities for Your TPRM Program
Inventory your vendors and understand the relationships and services/products they provide.
Categorize vendors according to risk. Understand the individual security and compliance requirements needed for each vendor and the impact an incident can have on your operations.
Determine the access level the partner needs and enforce least privilege.
Periodically reassess your vendors and their compliance with the SLA.
For more insights on building a cyber-resilient business, read From vulnerabilities to vendor trust: How CISOs build cyber resilience.
