Third-party risk
management: are
your vendors the
weak link in your
cyber security?

Author: David Grady

As 2021 begins, cyber security risks from software vendors are a hot topic.  The recently discovered Russian-state-linked hack of B2B software vendors and another exploiting a vulnerability in a popular e-mail system has affected a broad swath of private companies and government agencies.  

What is third-party risk management?

What you buy carries inherent risk. Third-party cyber security risk is the potential your enterprise may be compromised through vendors of services, software, devices, etc.  Businesses are ecosystems that rely on providers of services, software and data for efficient workflows and to offer new products and services. You may be using Software-as-a-Service to give you the latest collaboration tools. Maybe you’re hosting some of your critical services—from your customer-facing websites to your incident response plan—with third-party cloud providers. You may also be receiving automatic updates from your software and hardware vendors. Those vendors have levels of access to your IT systems and customer data, and that connectedness can present a third-party risk management challenge.

Malicious cyber actors aim for an enterprise ecosystem’s weaknesses to get access. If your vendors and partners aren’t investing enough time and money in cyber security, your enterprise is at greater risk. The recent Russian hack of B2B software vendors has shown, this risk can have severe impact.

What should you do about third-party risk management?

To reduce third-party risk, make sure the vendor and partner security practices don’t present a blind spot. Reviewing vendors’ cyber security postures must be part of your basic vendor audit process. Assess their defenses and their approach. Also, be sure you know where your data will reside and how timely and easy access will be if there is a cyber security incident.

Here are some questions you should ask before you sign a contract with a vendor:

How seriously is your vendor taking its cyber security risk?

A vendor should have a regular patching process, segment critical systems, and use robust authentication. It should do regular, standardized security testing of networks and processes. It should be able to show that its staff understand cyber security risks and are effectively monitoring for unusual activity and indicators of compromise. They should have an effective incident response plan that you, the customer, can work with during an incident. Also, they should have their own strong third-party risk monitoring and plans, because they rely on vendors too.  Ask for documentation: trust, but verify their claims.

Where will your data reside when a vendor has it?

If your vendor is using another partner, you need to understand the third-party risk to your data. You also need to know where your data resides, and how it’s protected.

Does your contract oblige your vendor to assist during a security incident?

Without their help, you may never be able to identify what’s gone missing or how an attack was committed. Your contract should also document data breach notification requirements and timeframe to avoid delaying your own response.

How can cyber security vendors help?

Cyber security vendors can help you by publishing research that helps you better understand today’s cyber threat landscape, as in Verizon’s 2020 Data Breach Investigations Report and they can offer monthly intelligence briefings such as Verizon’s Threat Research Advisory Center.

Learn how to help protect your network by understanding some of the best practices for choosing a security provider.