This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
This Website Uses Cookies
By closing this message or continuing to use our site, you agree to our cookie policy. Learn More
This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
Subscribe
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • Home
  • News
    • Security Newswire
    • Technologies
    • Security Blog
    • Newsletter
    • Web Exclusives
  • Columns
    • Career Intelligence
    • Security Talk
    • The Corner Office
    • Leadership & Management
    • Cyber Tactics
    • Overseas and Secure
  • Management
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • More
  • Physical
    • Access Management
    • Video Surveillance
    • Identity Management
    • More
  • Cyber
  • Sectors
    • Education: University
    • Hospitals & Medical Centers
    • Critical Infrastructure
    • More
  • Exclusives
    • Security 500 Report
    • Most Influential People in Security
    • Top Guard and Security Officer Companies
    • The Security Leadership Issue
    • Annual Innovations, Technology, & Services Report
  • Events
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
    • Security 500 West
  • Resources
    • The Magazine
      • This Month's Issue
      • Digital Edition
      • Archives
      • Professional Security Canada
    • Videos
      • ISC West 2018
      • ASIS 2017
    • Photo Galleries
    • Polls
    • Classifieds & Job Listings
    • White Papers
    • Mobile App
    • Store
    • Sponsor Insights
  • InfoCenters
    • Video Management Systems
  • Contact
    • Editorial Guidelines
  • Advertise
Home » 6 Best Practices that Reduce Third-Party Cybersecurity Risk
Cyber Security NewsTransportation/Logistics/Supply Chain/Distribution/ Warehousing

6 Best Practices that Reduce Third-Party Cybersecurity Risk

digital-cyber
October 5, 2017
Steve Earley
KEYWORDS cyber risk mitigation / security risk management / supply chain management
Reprints
No Comments

Cybersecurity threats are increasingly sophisticated and targeted. Hackers who want your information or want to disrupt your operations are looking for any way into your network. In an interconnected world, these hackers are increasingly looking to an organization’s supply chain partners, especially those with network access but without effective cybersecurity protection.

 

Third-party risk management (TPRM) platforms are emerging to guard against attacks that originate in an organization’s supply chain.  Ideally, these help an organization map its attack surface, and monitor changes to the companies that are part of that attack surface, with the result being risk insights that let security management anticipate problems and work with its vendors to remediate these risks.

 

Getting started with TPRM requires an organization to do a self-analysis that will form the foundation for its program. The following best practices can be used to set a foundation for successful TPRM:

 

Develop a list of high-impact vendors. You may interact with a large number of vendors, so the first step in TPRM is to consider which vendors would be of highest-impact to your organization if a breach occurred. When determining your high-impact vendors, consider the level of sensitivity and volume of data that a vendor is handling. It is important to also consider the type of data a vendor is handling, such as personally identifiable data (PII), cardholder data (related to PCI) or protected health information (PHI, related to HIPAA). Finally consider the transactions being handled – those involved in bill payment, payment processing or high-dollar transactions can be particularly impactful.

 

Identify assets exposed to vendors and vendor assets that store your data. Next, by scanning or spidering against a vendor’s domain, you can determine a great deal of information such as what services are running or which ports are open on firewalls. This scan, combined with human intelligence, can tell a lot about a vendor. You should also ask high-impact vendors for a data flow diagram to understand where your data is going and whether there’s a fourth party you may need to be concerned with, such as a backup storage vendor. In this step, you’re not just looking at the vendor, you’re looking at the vendor’s vendors as well.

 

Manage the relationship with your vendors. When working with a vendor, you need to be able to understand and monitor their cyber hygiene. Consider what you are doing to ensure your data is not commingling with other companies’ data. And then you need to ensure the risk of the data stored is in alignment with the content terms that you’ve put in place with the vendor.

 

Refine the vendor list for ongoing monitoring. It’s not enough to assess a vendor just once, but it’s also not realistic to assess all vendors all of the time. After your analysis of which vendors are of highest priority, make a plan for ongoing (continuous) assessment of these vendors to ensure your data remains safe.

 

Develop initial “threat scenarios.” Even with ongoing assessment, threats will still loom. Organizations with a more advanced TPRM program can “visualize” or map out what the impact would be of a particular risk. The threat scenario maps out how a hacker would pivot through your network in order to get to your most important data. This step requires both technology for scanning and human intelligence for analysis.

 

Ongoing risk mitigation. Understanding that attackers may still get through, how will you prepare for risk mitigation?

  • Assessment – Depending on the impact of a particular vendor to your business, you may want to do deeper assessment every year and may want to go onsite for the assessment.
  • Scanning – Continuously monitor your high-impact vendors, looking for trends and threat scenarios or changes in their security posture.
  • Verify critical assets – What data could be exposed via the targeted third parties? What is the security on that data?
  • Verify controls – What does the vendor control today? You may use a “trust but verify” model, and this should be done periodically.
  • Contract review – Evaluate contracts with these vendors to ensure that data security issues and expectations are formalized.

 

Any risk you can’t mitigate, you want to be able to manage. By using these TPRM best practices, your company and its data will be in the best possible position in the event that an attack occurs.

Subscribe to Security Magazine

Steve Earley, Director, Third Party Risk

Fortress Information Security

Related Articles

Report Says Companies Plan to Change Third-Party Vendors that Pose Highest Risks

Third Party Risk on the Rise; Risk Mitigation is Low Priority

4 Steps to Mitigating Third-Party Vendor Cybersecurity Threats

Best Practices for Conducting a Cyber Risk Assessment

Related Products

The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws 2E

The Database Hacker's Handbook: Defending Database Servers

Related Events

Effective Risk Communication: Theory, Tools, and Practical Skills for Communicating about Risk

You must login or register in order to post a comment.

Report Abusive Comment

Subscribe For Free!
  • Print & Digital Edition Subscriptions
  • Security eNewsletter & Other eNews Alerts
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Popular Stories

security-center

The Top 5 Reasons Why Your Security Program Needs Intelligence Personnel

Globe

Which Countries Have the Worst and Best Cybersecurity?

SEC0219-cover-Feat-slide_900px

The Road to CSO: Meet Microsoft's New Security Leader

password1-900px.jpg

New Vulnerabilities Found in Top Password Managers

password1-900px.jpg

How Americans Leave their Personal Info Open to Thieves

20180226SEC_DataminrFeb_360x184customcontent

Events

February 26, 2019

Harness Real-time Public Information to Improve Active Shooter Response

Corporate security teams hope never to respond to an active shooter situation. But given today’s realities, companies spend a great deal of time developing guidelines, holding training sessions, and carrying out drills to ensure that their staff will be prepared in case an active shooter event occurs.
March 7, 2019

Finding Your Physical Security Blind Spots with Artificial Intelligence (A.I.)

Security infrastructures are undergoing a digital transformation with growing adoption of intelligent access control, video surveillance and analytics as well as IoT devices and sensors – generating more data to than ever before. Harnessed properly with artificial intelligence and a risk-based model, this data can be exposed and leveraged to improve life safety, minimize risk and increase operational efficiency.
View All Submit An Event

Poll

Employee Background Screening

How Often Does Your Organization Conduct Background Screening on Employees?
View Results Poll Archive

Products

Effective Security Management, 6th Edition

Effective Security Management, 6th Edition

 Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics. 

See More Products
Security-500

Security Magazine

SEC-Feb-2019-Cover_144px

2019 February

In Security’s February 2019 issue, meet Brian Tuskan, Microsoft's New Security Leader. Learn how he has used technology, his reputation, networking and a desire to help people to become Microsoft’s new CSO. Read about the Next Generation of White Hat Hackers, How to Evaluate Security's Role, and more.

View More Subscribe
  • More
    • Market Research
    • Custom Content & Marketing Services
    • Security Group
    • Editorial Guidelines
    • Privacy Policy
    • Survey And Sample
  • Want More
    • Subscribe
    • Connect
    • Partners

Copyright ©2019. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing