Cybersecurity threats are increasingly sophisticated and targeted. Hackers who want your information or want to disrupt your operations are looking for any way into your network. In an interconnected world, these hackers are increasingly looking to an organization’s supply chain partners, especially those with network access but without effective cybersecurity protection.
Third-party risk management (TPRM) platforms are emerging to guard against attacks that originate in an organization’s supply chain. Ideally, these help an organization map its attack surface, and monitor changes to the companies that are part of that attack surface, with the result being risk insights that let security management anticipate problems and work with its vendors to remediate these risks.
Getting started with TPRM requires an organization to do a self-analysis that will form the foundation for its program. The following best practices can be used to set a foundation for successful TPRM:
Develop a list of high-impact vendors. You may interact with a large number of vendors, so the first step in TPRM is to consider which vendors would be of highest-impact to your organization if a breach occurred. When determining your high-impact vendors, consider the level of sensitivity and volume of data that a vendor is handling. It is important to also consider the type of data a vendor is handling, such as personally identifiable data (PII), cardholder data (related to PCI) or protected health information (PHI, related to HIPAA). Finally consider the transactions being handled – those involved in bill payment, payment processing or high-dollar transactions can be particularly impactful.
Identify assets exposed to vendors and vendor assets that store your data. Next, by scanning or spidering against a vendor’s domain, you can determine a great deal of information such as what services are running or which ports are open on firewalls. This scan, combined with human intelligence, can tell a lot about a vendor. You should also ask high-impact vendors for a data flow diagram to understand where your data is going and whether there’s a fourth party you may need to be concerned with, such as a backup storage vendor. In this step, you’re not just looking at the vendor, you’re looking at the vendor’s vendors as well.
Manage the relationship with your vendors. When working with a vendor, you need to be able to understand and monitor their cyber hygiene. Consider what you are doing to ensure your data is not commingling with other companies’ data. And then you need to ensure the risk of the data stored is in alignment with the content terms that you’ve put in place with the vendor.
Refine the vendor list for ongoing monitoring. It’s not enough to assess a vendor just once, but it’s also not realistic to assess all vendors all of the time. After your analysis of which vendors are of highest priority, make a plan for ongoing (continuous) assessment of these vendors to ensure your data remains safe.
Develop initial “threat scenarios.” Even with ongoing assessment, threats will still loom. Organizations with a more advanced TPRM program can “visualize” or map out what the impact would be of a particular risk. The threat scenario maps out how a hacker would pivot through your network in order to get to your most important data. This step requires both technology for scanning and human intelligence for analysis.
Ongoing risk mitigation. Understanding that attackers may still get through, how will you prepare for risk mitigation?
- Assessment – Depending on the impact of a particular vendor to your business, you may want to do deeper assessment every year and may want to go onsite for the assessment.
- Scanning – Continuously monitor your high-impact vendors, looking for trends and threat scenarios or changes in their security posture.
- Verify critical assets – What data could be exposed via the targeted third parties? What is the security on that data?
- Verify controls – What does the vendor control today? You may use a “trust but verify” model, and this should be done periodically.
- Contract review – Evaluate contracts with these vendors to ensure that data security issues and expectations are formalized.
Any risk you can’t mitigate, you want to be able to manage. By using these TPRM best practices, your company and its data will be in the best possible position in the event that an attack occurs.