No business is an island. You rely on third parties in some way, whether they’re service providers, software vendors, partners, consultants, or contractors. Using third parties can increase your overall efficiency because you don’t have to waste time, money, and other resources to build and maintain everything in-house.
However, third parties also introduce additional security and compliance risks to your enterprise. Your vendors, partners, and contractors need access to your network and data, but you have little control over these third parties and their security hygiene. An attacker could use a third party’s privileged account to breach your network and expose sensitive data. For example, the 2020 SolarWinds hack resulted in breaches at thousands of their client organizations, including government departments like Homeland Security and major tech companies like Microsoft and Cisco. That’s why it’s crucial to develop strategies that balance Third-Party Risk Management (TPRM) compliance, security, and efficiency.
What is TPRM?
Third-party risk management is exactly what it sounds like – managing the inherent risk involved in working with third parties. TPRM involves thoroughly vetting all your third parties before you agree to work with them to determine how much risk they introduce. It also means continuously monitoring them throughout your contract to ensure they continue to meet your security and compliance standards.
Best Practices to Balance TPRM Compliance, Security, and Efficiency
Now, let’s discuss the best practices for creating, maintaining, and optimizing your TPRM compliance and security program.
Identify Your Third Parties
Ideally, you’ll create a TPRM program before onboarding a third party, but for most of us, that ship has already sailed. That means your first step should be identifying all your existing third-party relationships and determining what they have access to.
This may be easier said than done, however. You may have departments or even individuals within your company who work with outsiders without your knowledge. One way to obtain a full and accurate list is to send questionnaires to every department head inquiring about the use of third parties. Or you could follow the money and ask your accounts payable department to provide a list of current vendors, contractors, and other parties who receive payments from your organization.
Next, you need to find out what data and resources your third parties should have access to. Then, you should conduct a privilege audit on all third-party accounts to determine if their access levels are appropriate. The importance of this step cannot be overstated: according to a recent Ponemon Institute report, over-privileged third-party accounts were responsible for up to 74% of security breaches. The best practice for any account – especially third-party users – is to follow the principle of least privilege, restricting access to the minimum resources required for the job at hand.
Assess Your Third-Party Risk
Once you know who your third parties are – or you’ve selected a new vendor or partner to work with – you need to assess the level of risk they introduce to your organization. You should assess risk from multiple angles, asking questions like:
- How much access do they need? A third party who just needs basic network access is inherently less risky than one who needs administrative privileges.
- What is the value or sensitivity of the data being accessed? Is it subject to any data privacy regulations? Could its exposure cause monetary or reputational damage to your organization?
- Does this third-party organization have a history of security breaches or compliance violations?
- Are there any conflicts of interest with the third-party company or personnel? For example, are any of their major investors in direct competition with you? Does this contractor or consultant have any relevant personal relationships with people in your organization?
Your assessment needs to determine whether the value brought by the third party is worth the inherent risk involved in working with them. There’s no hard-and-fast rule for this, so it’s something your organization needs to decide based on your unique security and compliance requirements.
Establish Consistent TPRM Policies
Once you’ve determined which questions to ask and how to evaluate the answers, you should apply your new TPRM policies consistently to every third party. That includes long-term, trusted vendors and contractors with whom you’ve established close relationships. There’s a first time for everything, including security breaches, so you shouldn’t make exceptions based on a history of good behavior.
Automate Your TPRM
There are some limitations to manual TPRM. First, identifying and tracking all your third parties is time-consuming, and there’s always a chance you’ll miss someone. Second, risk assessment questionnaires rely on your third-party Point of Contact providing thorough and accurate answers. Third, that assessment only gives you a snapshot of a single moment in time – staff turnover, policy updates, new software vulnerabilities, and other changes could have a serious impact on third-party risk.
Automation addresses these TPRM limitations in a variety of ways. For example, automatic discovery tools can help you locate all the cloud services, applications, vendor accounts, and third-party devices connected to your enterprise network. Many automated TPRM tools give you a central dashboard from which to manage your third parties and create, deploy, and track risk assessments. That means you always have an up-to-date accounting of who’s accessing your network and what their risk profile is. Finally, TPRM monitoring tools give you continuous visibility into your third parties’ external security perimeter, so you’ll always be aware of any changes that may affect their risk profile.
Keeping Third-Party Risk Management (TPRM) Compliance, Security, and Efficiency in Balance
Identifying your third parties, assessing their inherent risk, and establishing consistent policies are crucial first steps to successful TPRM. Automation takes TPRM to the next level by streamlining processes, reducing human error, and providing continuous third-party monitoring. A robust TPRM program keeps compliance, security, and efficiency in balance so you can get the most out of your third-party relationships while mitigating the risks to your organization.