We are living in the big hack age. Hundreds of thousands of businesses are suffering from third-party breaches due to the rise in sophisticated tactics, techniques, and procedures employed by advanced persistent threat actors. This is only the beginning of the escalation.
There are a tonne of third-party breaches in the headlines. Security experts have been dealing with attacks since December 2020. These have included the SolarWinds attack, O365 exploits, Accellion weakness, and now the Microsoft Exchange Server breach. Not to mention the innumerable minor intrusions by third parties that were interspersed.
In your company, who is responsible for managing third-party security risks, and do you have a strategy in place to deal with them?
TPRM: What is it?
The process of identifying and mitigating the risks connected to outsourcing to outside vendors or service providers is known as third-party risk management, or TPRM. As a business owner, you are entrusting them with sensitive resources such as customer information, employee data, operations, money, IT, and intellectual property belonging to your company.
These breaches demonstrate the fairly disorganised condition of TPRM. Almost every significant breach that has occurred recently has a third party involved.
TPRM is the weapon your company needs to go on the attack with.
You can manage the security risk associated with third parties by using these five strategies.
Accept Responsibility for the Risk
In your capacity as the organization’s leader, you bear accountability for its results, particularly in the event of mishaps. Consider the SolarWinds hack as an illustration of what should NEVER be done. They attributed their hack on a menial intern who used a shoddy password. However, who was in charge of approving the internship programme? provide the funds for the tools of security? Verifying the currentness of security policies, processes, and controls? confirming the presence of a security training programme within the company? ensuring that the security team’s efforts would offer a defense-in-depth strategy for security.
Put Together Your Risk Management Group
Select an individual to implement the TPRM programme. In an ideal world, they would be concerned about risk identification, sincerely wish to safeguard the company and the information of your clients, and have some experience doing so with cybersecurity concerns.
Small-to-medium-sized businesses (SMBs) typically select employees to lead their TPRM initiatives based on their functional expertise and capacity, which frequently entails assigning a department or individual to perform two roles. When making that choice, take into account the following benefits and drawbacks:
Information security and technology (IT/IS)
Many small and medium-sized businesses (SMBs) delegate TPRM to IT, but it’s crucial to realise that not all IT teams handle Information Systems (IS) tasks. Your IT staff will make fantastic TPRM subject matter experts if they have a specialised IS team or are well-versed in security. To implement TPRM, an IT staff may lack the depth of security expertise necessary because their primary focus is on making sure networks, systems, and applications operate. This also applies to a large number of outsourced IT departments.
Buying and Contracting
Given how frequently they work with contractors and vendors, this person could seem like the ideal choice to head your TPRM programme. The difficulty here is that purchasing and contracting teams typically lack the cybersecurity expertise and technological prowess necessary to assess the risk levels of your vendors, attack surface, and threat landscape.
HR, Governance, and Compliance
If someone at your company oversees regulations or compliance, and they have experience with auditing, they might be a good choice. To recognise cyber threats and hazards, keep in mind that they might not have a strong background in technology because they frequently have a full plate.
Within TPRM, contract management is a tiny subset. We discover that when legal manages TPRM, they prioritise managing risk by following the terms of the contract rather than recognising technological issues or vulnerabilities posed by third parties. It can be too expensive to choose this option.
Select a Framework for Security Standards
At this point, you may choose to delegate to the team the daily TPRM tasks, such as selecting a TPRM framework. Verify if the framework offers recommendations based on the industry. Consider the needs for compliance and regulations. For example, risks related to e-commerce, retail, hotels, or industry sectors will be very different from risks related to third-party banking. A number of useful resources have been assembled by organisations such as NIST and ISO to assist you in starting to ask all the appropriate questions.
Record External Parties
Every third party that deals with your company should be recorded. Although it is tempting to overlook the commonplace, low-risk suppliers, if your TPRM evaluation overlooks them, they may still be the source of some of the largest breaches. For instance, an HR document management vendor was responsible for the most recent breach at General Electric, while a stolen credential from an HVAC service provider was the cause of the 2013 Target hack.
The unknowns present the biggest obstacle while recording third parties. An insecure soda machine in the break room, for instance, might be connected to the workplace WiFi and provide nefarious actors access to your network.
Evaluate, Go Over, and Edit
Create a schedule for reviewing the risk assessment procedure after completing your selected risk framework. This will allow you to update earlier documentation with new risks and the controls implemented to address them. Based on the information you gather from this approach, develop an evaluation procedure for potential suppliers. Integrate TPRM into your routine risk assessment and management tasks.
It can be difficult to identify every third-party risk, therefore you should prepare your response in case one of your third-party vendors has a security breach. Make sure the breach notice clause is included in your contracts. Make backup plans for things like company continuity and breach response. Lastly, think about how you would notify the public of a breach if necessary.