Even if you do everything by the book, third-party risks remain a considerable threat to an organization’s security. However, there are strategies organizations can employ to minimize the impact of third-party vulnerabilities and prevent successful exploits.
As we detailed in a previous entry, there’s a variety of factors that can leave organizations susceptible to third-party risk. The good news is that managing third parties effectively is something any organization can achieve by instituting the right policies and practices.
To reduce third-party risk in your company, here’s a few things to keep in mind.
How to reduce third-party risk
#1: Continuously monitor risk. Conducting an annual risk assessment of one's third party providers used to be good enough, but those days are over. Today’s businesses move at the speed of data — and if data assets can be compromised overnight, then so can the business. Annual risk assessments provide organizations a snapshot of a vendor’s security at a single point in time, not over an extended duration. A 2022 report by CRA Business Intelligence finds that 46% of organizations use annual risk assessments to mitigate risk, whereas just 29% use real-time information, risk metrics, and ongoing monitoring of third-parties. Where possible, organizations should work with vendors to ensure risk can be monitored on an ongoing basis.
#2: Adopt an automated third-party risk management platform. In the last few years alone, third party suppliers have spiked in number. Today, the average company has approximately 88 third-party partners, according to CRA Business Intelligence data. With most organizations already suffering from limited headcounts, there’s simply no way to track risk across such a diverse network of vendors, manufacturers, distributors and suppliers. But with the aid of automation, organizations can. These platforms can provide a single, shareable source of insights, rapidly scan massive data sets to flag potential threats, and generate real-time reporting to give security teams constant visibility of assets used by third-parties. As the Cloud Security Alliance says, “integrating automation into your third-party risk management program may seem difficult, but given the growing complexities in accurately collecting and screening third-party data and the need for deeper due diligence, there is no other choice but to mitigate risk while reducing costs.” Respondents in CRA's survey would agree: among those who expressed high concerns about managing their third-party risk, 44% cited the lack of an automated solution as a primary obstacle.
#3: Work with vendors that prioritize visibility, and cut ties with those that don’t. IT security pros surveyed by CRA Business Intelligence repeatedly voiced frustrations of not being able to verify or validate third-party security controls and policies. Only 11% of all respondents claimed to have full visibility across all tiers of providers, whereas 12% reported having no visibility whatsoever. “Our top challenge is that we do not have visibility into the vendor's security controls,” said one respondent. “Nor do we have control when it comes to auditing third parties — so we have no idea if third parties are in compliance with our regulatory needs." Organizations should seek out vendors that provide clear, consistent communication and transparency with regard to security controls, data use, identity and access management, as well as timely notifications in the event that vulnerabilities are discovered.
#4: Enforce third-party risk management policies and practices. In the process of negotiating contracts with third-parties, organizations should do their due diligence in ensuring that vendors abide by industry-approved risk management policies. These policies and requirements include (but are not limited to) such standards as NIST’s Risk Management Framework, level 2 compliance with Security Trust Assurance and Risk (STAR), the Cybersecurity Maturity Model Certification (CMMC), as well as the Cloud Security Alliance Cloud Controls Matrix (CCM). Additionally, organizations can request that vendors provide a software bill of materials (SBOM) upfront to ensure the integrity of the software being purchased.
#5: Get management on board. According to infosec professionals from CRA’s survey, "buy-in from executive management… is a real issue; without it, we can’t mitigate third-party risk.” While attention around third-party risk has grown considerably in the last year — with 68% saying it has become a more important priority for their organization — there is still a vacuum of leadership at the top when it comes to setting the tone for third-party risk management initiatives. Thirty-eight percent cite a lack of upper management guidance, and 44% say current budgets do not provide their organization any means to onboard capabilities that could improve third-party risk management. Consequently, organizations have adopted a reactionary security posture that simply feeds a vicious cycle of ‘breach-and-respond’. As one respondent puts it, “we have so many third-party vendors and when data breaches show up on CNN, the C-suite and board perk up and expect something to be done proactively to protect our institution from lapses in security from our third-party vendors.” With reliance on third parties only expected to increase in coming years, leadership should put their money where their mouth is by making critical investments in personnel and tools that could help secure their growing network of providers.