Third-party risk management (TPRM) is about identifying, analyzing, and reducing risks from third parties. But what does it have to do with cyber awareness?
Well, more and more, cyber risk is coming from third parties, often critical third parties. How to mitigate third-party cyber vulnerability at your organization?
Read on to find out.
What is third-party vulnerability?
Third parties, of course, are outside parties, including suppliers, manufacturers, service providers, business partners, redistributors, etc., who perform services or activities on your behalf.
These parties, by function of performing these services, create vulnerability or risk – third-party risk.
Not all third-party risk is material, i.e., it doesn’t pose grave consequences. However, some vulnerabilities are, particularly when the services or activities that third parties perform are material business activities.
Material business activities are prioritized activities that if disrupted will have a significant impact on an organization’s business operations or the ability of that organization to manage its risks effectively.
Third-party cyber incidents and IT outages on the rise
The trouble, therefore, comes when third-party risk, especially risk from critical third parties, becomes third-party incidents. We’ve seen too many of those in recent times.
In fact, 98% of organizations reported having a relationship with a vendor that experienced a breach within the last two years, according to a 2023 Apple study. Another industry survey from 2023 attributes nearly 30% of data breaches to third-party cyber vulnerabilities.
Strategies to mitigate third-party cyber vulnerability
The question, then, turns to the strategies needed to shore up third-party vulnerabilities to avoid third-party incidents. Best-practice strategies endorsed by such industry heavyweights as the American Hospital Association include:
1. Know what your third-party risk management program is doing
Third-party risk is becoming serious enough that organizations are establishing TPRM programs. But the work isn’t done when those programs are established.
Rather than set it and forget it, organizations will have to review what those programs are doing, looking closely at the governance structure (who’s doing what) to determine whether the right people are empowered and at the table.
Risk managers attached to the program need to be taking a multidisciplinary approach to the creation of a dynamic risk inventory of all third-party vendors that have access to systems.
2. Incorporate cybersecurity into third-party risk management
Square the circle; the growth of TPRM programs has everything to do with the rise in cyber incidents linked back to third-party vendors.
As a result, organizations must be ruthless about implementing third-party, risk-based controls and cyber liability insurance requirements based on identified cyber risk levels – we can’t stress this enough.
This will ultimately entail formalizing policies, procedures, and processes for incorporating cybersecurity into third-party risk management.
Specific strategies to consider include in-depth technical, legal, policy, and procedural reviews of the TPRM program.
3. Give the TPRM program internal visibility
The TPRM program needs to be considered as part of a broader culture of risk and resilience. To ensure that that culture is thriving, stakeholders need to be consistently and clearly communicating TPRM policies, procedures, and requirements to the rest of the organization.
Consider it an education campaign in which senior leaders are teaching individual business units about organizational cybersecurity requirements for third parties and the potential cybersecurity risks to the organization that are involved in work using third-party vendors.
4. Prepare third-party incident response and recovery plans
The best defense is offense. Third-party incidents are so common that it would be foolhardy not to plan for one.
But planning measures need to include a process for identifying all internal and external, third-party, and supply chain providers of critical functions, services, and technology.
From there, the organization can develop incident response plans and downtime procedures, digitized in security management software, for each internal and external critical technology and services dependency.
Incorporate the resultant plan into the overall incident response plan. And then integrate your business continuity plan and downtime procedures into overall incident-command and emergency-preparedness functions. Train staff accordingly.
Cyber actors are getting smarter. They’ve identified third parties as vulnerabilities and are exploiting those weaknesses ruthlessly.
To shore up any vulnerabilities you may have, you need to pursue third-party risk management just as zealously. For more strategies on how to build a best-practice TPRM program at your organization, read our Introductory Guide to Third-Party Risk Management.
.svg)
.svg)
.svg)