This article first appeared on Forbes.com on April 13,2021.
During the past year, IT and security concerns have increased dramatically, shifting in unpredictable ways that require business leaders to embrace a new approach to third-party risk. The InfoSec community, for instance, is still trying to understand the full scope of the recent attack against SolarWinds.
SolarWinds had checked all the right boxes, earned the trust of its business partners and customers, and couldn’t have done anything to stop the bad actors. Still, it begs the question: At what point has adequate third-party risk management been conducted?
That’s why managing third-party risk is so critical, no matter the size or the industry. Whether at an enterprise or a startup, you are likely working with multiple vendors, using their software, and relying on their systems. When thinking about third-party risk, it’s important to do your due diligence and implement proper risk mitigation. You have to assess your vendors, make sure they meet required obligations, and know the risks of working with them — because if they go down, your business may, too.
At Reciprocity, we’ve advised numerous clients about third-party concerns this year. Here are the 5 steps we’re advising businesses to take right now:
1. Identify your third-party risks.
First, you need to understand what data is at risk and what is shared with your third-party vendors. There will always be some inherent risk in sharing any data, but it’s important to focus on the most sensitive and vital data to know what you should prioritize. Customer data, particularly financial information, should be at the top of your list as the highest-value assets you have.
Check your list of vendors and note which have access to your highest-value data assets. Some of your vendors likely have access to the most critical data that you’re trying to protect. Consider the scope of the potential impact of third-party risks to determine what needs to be covered in contractual obligations, and build a third-party assessment into your onboarding process to understand their security documents.
2. Assess the criticality of third-party risks.
Next, analyze the role that these vendors play in your business and the likelihood that they may be compromised. For instance, bookkeeping and payment platforms likely factor critically into your operations. If the role is critical and the risk is high, you may want to assess these vendors more often. Make sure you consider the type of data — such as personal information, health information, financial information and internal intellectual property — as well as the financial or reputational impacts that could stem from a breach.
Ensure that all stakeholders take time to assess the criticality of data and what’s at stake. Product and engineering teams, for instance, may see data differently than the sales or executive teams. Consider removing the vendors that don’t meet your due diligence process. In some cases, vendors may seem “too big to fail” and are ingrained into your operations. However, you should double-check what is vital for your company, which may come down to a conversation of cost and return on investment for the potential risk.
3. Ensure that vendors will provide notification of security incidents.
Third-party vendors should keep you abreast of any security issues, especially because any security concerns will affect your customers. However, this isn’t a given and may be left out of contracts. Review the terms to make sure that data privacy breaches and data processing details are thoroughly explained. Plenty of contracts contain data privacy details but not data security details.
Beyond that, work with your procurement team to ensure that risk transference is secured through the mechanism of cyber breach insurance. Contracts should include information about the maximum amount of potential insurance and incident report requirements. Data privacy leaks under Target and Home Depot in 2014, for instance, led to some of the largest spillage of privacy data around credit cards in the U.S., and the companies are still dealing with related settlements to this day.
4. Put redundancies and mitigation strategies into place.
Third-party relationships should also build in redundancies to avoid blockages to your own business. If your company uses a cloud service provider, such as AWS, GCP or Azure, in one region on one platform, for instance, make sure there’s geodiversity in the infrastructure planning, with data centers in different regions of the country or even in multiple countries to account for a vendor’s services failing.
Mitigation strategies should also be in place in case an unforeseeable event occurs. During the Sept. 11 attacks, for instance, one of Visa’s primary data centers in the Twin Towers failed, but another in New Jersey was able to take control, and the company didn’t lose one bit of data that day. Consider the criticality of your data, how to ensure protection when — not if — something fails, and what will happen to ensure continuity so no data or processing is lost. Insurance is an ultimate backfall, and though you never want to need it, that’s why you have it.
5. Conduct third-party risk assessments annually.
Annual-third party assessments are mandated across multiple frameworks and considered a best practice, whether you use SOC 2, FedRAMP, GDPR, ISO or PCI. Mid-size and enterprise companies may also decide to use assessments that monitor for intelligence data and potential data leakage from third-party vendors. Similar to a credit report, these cyber rating agencies can provide a security scorecard to help you assess and manage risk.
Consider including this assessment in reports to your board of directors to create a standardized process that is reviewed regularly. You should also include these assessments in your renewals with vendors, which can underlie requirements around insurance, incident reporting and mitigation strategies. Monitoring these regular assessments can bring different security risks to light.
Ultimately, think about the data and risks that are mission critical to your operations and what fits into your due diligence. Many vendors use managed service providers, which should play a role in updating patches and security improvements. If they are implementing and serving vendor registrations, they should be part of the process to ensure that the proper updates are in place and the decisions around when to remove a vendor, as appropriate. Partner with your internal InfoSec teams and external InfoSec and IT service providers to identify areas of third-party risk and how you can best prepare yourself this year.
To learn what Reciprocity is doing to mitigate third-party risk, read our blog Why Zero Trust Is Critical to Protecting Your Business.