Security Experts:

Best Practices for Evaluating and Vetting Third Parties

The global and interconnected nature of business today means that no company or organization is an island. Every modern business relies on many others, either as part of the supply or distribution chain, or for value-added services like accounting and social media marketing. 

But employing a third party adds risk, especially if that company is given some level of access to network and computing resources, or is asked to handle and protect critical or proprietary information. Attackers may not need to breach a well-protected internal server if the same information is not protected to the degree deemed necessary by a third party. If a third party is given some level of trusted access to internal networks, it might be easier for a hacker to simply compromise the third party and then use their access to “legitimately” break into a network containing the target data they want to steal.

If the fates of companies like Delta, Best Buy, Target and so many others tell us anything, it’s that having good internal security, while critical, is no longer enough. In fact, a 2018 study from Ponemon found that more than half the breaches in the United States these days are due to third parties. To be fully protected requires a solid Third-Party Cyber Risk Management (TPCRM) program. Ultimately, it is vital for organizations to manage risk across their entire portfolio or ecosystem, by first identifying who poses them the most risk, and then applying the right level of due diligence to those vendors. Organizations also need to ensure that their due diligence provides them with actionable insights – where exactly are the security gaps and which ones should be prioritized? What needs to be remediated within that vendor’s security practices to ensure all of the dominos don’t fall. An effective third party cyber risk management program should enable organizations to confidently engage with their third parties, or to take the action necessary to reduce risk. 

The first step to figuring out your third-party cyber risk is to identify all of the vendors you are working with. This can be accomplished by getting a list of all outgoing payments for some period of time, likely for the previous year. You might be surprised how many vendors your company is actually employing. Once you have figured out how many vendors are involved, it’s time to prioritize them and determine what level of due diligence they require. 

A critical step for prioritizing your vendors is understanding how you use them. Do you share data with them, do they have access to your facilities? Not all third parties are created equal, and therefore do not require the same level of assessment or resources. For example, your groundskeeper whose primary role is to maintain the physical plants/grass surrounding the company headquarters, likely has limited access to the building and has no access to the IT infrastructure except to email their invoices monthly – meaning that gaps in his security procedures are less critical than perhaps your accounting firm, who has access to your critical financial records. Understanding how you use your third parties can give you perspective into your inherent risk – the risk you assume with that third party, absent any security controls. Those insights can then be used to help you identify who poses the greatest risk to your organization so you can then determine who to assess and at what level. 

Once this has been done, your vendors can be divided up into a few categories based on their risk factors: for example, High, Medium or Low. Then you can assess them accordingly – more stringent assessments for high etc.… The results of the assessments should provide you with the insights you need to determine what to do next. And equally important, assessments should provide you with ongoing visibility. Given the constantly evolving threat landscape, a static, point in time assessment will drain both your resources and your third parties, only to be out of date within a day.  Are there gaps that need to be remediated? If so, which ones are most critical? Can you work with the vendor to mitigate these or do they pose too much risk to keep working with? Vendors that you like working with which carry unacceptable risk can be given the chance to better their score, though that is up to you. In the end, you may need to stop working with risky third-parties in favor of those with more proactive cybersecurity practices. The risk of not doing so is far too high.

Ultimately, it’s important to remember that you don’t have to go it alone when managing third-party cyber risk. There are solutions today that are designed to evaluate third-parties in terms of their cybersecurity maturity. With the right solution, it’s very possible to quickly go from being completely blind about third-party cyber risks to having a clear plan, succinct goals and better security for your own organization and all the businesses with whom you choose to partner.

view counter
As Chief Executive Officer, Fred Kneip is responsible for the overall company direction of CyberGRX. Prior to joining the company, Fred served in several senior management roles at Bridgewater Associates, including Head of Compliance and Head of Security. Before that, Fred was an Associate Principal at McKinsey & Co., where he led the company’s Corporate Finance practice. Fred has also worked as an investor with two later-stage private equity investment firms. Fred holds a B.S.E from Princeton University and an M.B.A. from Columbia Business School.