According to Deloitte’s 2023 Global TPMR Report, although 62% of organizations perceive cyber and information security risk to be the most critical risks posed by third parties, only 50% segment their third parties according to the level of criticality (i.e. low, medium, high). With the latest leak of 26 billion records, also known as the Mother of All Breaches (MOAB) from companies such as DropBox, Adobe, LinkedIn, Telegram, X and US and global governmental organizations, security and third-party risk teams might reevaluate their strategy when it comes to third-party vendor risk management.

What is Third-Party Vendor Risk Management?

Third-party vendor risk management, also known as vendor risk management, is a strategy that identifies, assesses and mitigates the number of cybersecurity threats, weaknesses and vulnerabilities posed to your organization from its integration of third-party services and providers into its IT infrastructure.

Some examples of recent data breaches and supply chain attacks include:

  • Okta. The third-party data breach exposed the personal and healthcare data of 5,000 of the identity management provider’s employees, past employees, and relatives. Although the breach had a limited impact, it came after more significant incidents that it suffered that same year.
  • Citrix Netscaler. This digital supply chain attack affected over 2,000 Netscalers, an application delivery controller (ADC) that helps web applications run more efficiently. The attack led to compromised systems at top organizations such as Toyota, Comcast and Boeing.
  • IntelliHartz. Almost half a million customers were affected by the third-party breach by the patient payment and collections company’s GoAnywhere transfer file service.

The 3 Stages of Third-Party Vendor Risk Management

Since the level of security risk also varies widely depending on additional factors such as the type of organization, industry, third-party relationship, technologies, and relevant regulations, organizations need to continue to employ third-party vendor risk management throughout the lifecycle of the business relationship.

These stages can be divided into three separate periods:

  1. Onboarding. This refers to the due diligence conducted at the beginning of the vendor relationship to evaluate whether or not the business should enter into a relationship with the third party in question. 
  2. Ongoing monitoring. This includes regular evaluation of security risks during the vendor relationship to ensure the third party is applying the appropriate security controls to meet the relevant regulations and standards, 
  3. Offboarding. This refers to the process of disengaging, deleting and transferring sensitive data and information formerly shared with your organization so that it cannot pose a future threat.

For this post, we will focus on the cyber risk element of third-party vendor risk management during the second part of the vendor lifecycle: Ongoing monitoring.

Why Ongoing Security Monitoring is Essential

Although organizations are careful to conduct security due diligence when onboarding a third party (e.g., vendor, supplier, outsourced, service provider, consultant), they often fail to monitor security throughout the lifecycle of the relationship.

A third party might have been the right third party to contract with two years ago, but are they still the right third party? A third party, over the course of time, has evolving oversight, processes, employees, and technology. What might have been a secure relationship a year ago, or several years ago, may not be a secure relationship today.

Ongoing monitoring is critical for several reasons:

  • The evolution of cybersecurity risk. Cybercriminals are always experimenting with new methods and strategies to maximize their chances of success. Many are now exploiting generative AI to compose phishing emails at scale and write malicious code.
  • The dynamic nature of organizations. Internal business processes, employees and technology are in constant state of change. As much as your organization’s business has evolved, each and every one of the third parties you do business with has evolved as well.
  • Constant regulatory changes and updates. With developments in technology such as generative AI and evolving cybersecurity risks, governments have instituted new policies. Effective ongoing monitoring ensures that third parties are putting the right security controls and processes in place to comply with the latest regulations and standards.

This is further complicated because security today impacts a wider range of third parties than it has in the past. In the past, it was mostly IT vendors that presented an information security risk. Today, in the interconnected digital economy, any third party providing service to any part of the business may be connected to the organization’s network and have access to information. The Internet of Things (IotT) further complicates this as increasing numbers of devices (such as the microwave in the break room) now pose a security threat when they didn’t in the past..As a result, ongoing security monitoring throughout a relationship is critical to protect your organization’s security posture.

5 Necessities of Third-Party Security Monitoring

Organizations need to have established processes in place to monitor the security of third parties throughout their business lifecycle. This includes:

1. Ongoing/continuous external scanning

Organizations should have established processes to conduct regular, and even continuous, security scans of third parties, particularly those that have connections and electronic data of the organization. This is to ensure their environment, from an Internet perspective, is secure and does not pose a threat due to security gaps of the third party. Organizations and technology are constantly changing, a server on the Internet may be misconfigured or critical patches not applied.

2. Periodic attestations

Every third party that poses a security threat to the organizations’ networks and/or information, should be required to review the security policies and controls required in the contract and provide attestation that they are understood and in place and operational. This can include the requirement to provide regular evidence of security certifications and tests that are conducted internally by a third-party. Some organizations even require that each individual who has access to the organization’s information and networks provide individual attestation (and possibly be required to go through security awareness training) of their adherence.

3. Reputation monitoring

Organizations should regularly monitor news and social media in the context of their third parties to look for red flags that raise concerns about security in their third-party relationships. For example, board members or executive-level managers may be involved in scandals, and certain businesses may appear on a list of banned companies that a government prohibits doing business with.

4. Issue reporting and management

The best-laid plans of mice and men will go astray. The best relationships with the right security controls and processes may still encounter security incidents involving the organizations’ data and systems. It could be as simple as a lost laptop or tablet that had the organization’s data on it, a hacker that compromised the third party or a rogue employee doing unlawful things. Processes must be put in place for third parties to report issues and incidents to work collaboratively with the organization on their resolution. However, third parties often don’t report issues even if they are contractually bound to do so. In this case, controls must be in place to inform the organization of issues and incidents. The organization should have defined processes to work collaboratively with third parties but also have incident response procedures to have prepared steps to take when an issue does arise (e.g., severing network communications).

5. Security audits and onsite inspections

Every contract typically has a right to audit clause in them to go onsite and validate an organization’s adherence to the contractual controls and requirements. Unfortunately, most organizations do not have committed resources to doing this. To address this, the organization should define internal resources, or contract with a service provider that can conduct third-party audits and inspections. This could be as simple as grouping third parties into three areas similar to a stoplight: high-risk/red, medium-risk/yellow, and low-risk/green. An organization can then require onsite audits/inspection/validation of high-risk third parties every year, conduct validation/inspections on medium-risk third parties every two years, and each year do a random audit of perhaps 5% of their green/low-risk third parties. This may be a lot for many organizations, that is why organizations look to security rating companies to get assurance of the range of third parties they are working with.

How Panorays Helps You Manage Third-Party Risk

Panorays delivers effective vendor risk management by performing risk assessments of not only your third-party vendors, but your Shadow IT and connections to fourth and fifth-party vendors as well. These regular assessments ensure continuous monitoring and real-time alerts of any data breaches, vulnerabilities, zero-day attacks or other security incidents in your digital supply chain.

By combining automated cybersecurity questionnaires with external attack surface assessments, Panorays provides accurate cyber ratings of your organization’s security posture and your suppliers. Its cybersecurity questionnaires are customizable (e.g. based on either industry-standard templates or third-party criticality), automated to be sent to specific team members at regular intervals and to create remediation tasks from easy-to-manage workflows. In addition, it automatically validates the responses with the use of AI by cross-referencing it with vendor-related documents and cyber posture data to gain a holistic view of your third-party risk.

Want to learn more about how Panorays can help you deliver effective third-party risk management? Get a demo today.

FAQs

What is third-party vendor risk management? 

Third-party vendor risk management, also known as vendor risk management, is the strategy of identifying, assessing and mitigating threats, vulnerabilities and weaknesses posed to your organization as a result of integrating third-party services or providers into your IT infrastructure. These risks could be financial, regulatory, reputational, operational and related to cybersecurity. Risk assessments, along with continuous monitoring, are essential in identifying weaknesses and vulnerabilities that could pose a serious threat to your organization and remediating them before they cause damage.

What are the key elements of third-party vendor risk management? 

Evaluating potential risks. You should have a process for identifying the risks posed to your organization through third-party integrations and a method for understanding the impact they potentially have on your organization. 
Continuous monitoring. As your business and its internal controls and processes evolve, so too do your third parties. Regulations and security risks also evolve, making it necessary to monitor them at regular intervals. 
Remediation. Organizations need to work together with their third parties to find and close security gaps prioritized according to your organization’s risk appetite.
Gaining supply chain visibility. You need to be able to identify your suppliers and their level of criticality for your business operations. 
Ensuring compliance. You need to be able to assess and evaluate whether third parties are adhering to various regulations in your industry, in addition to identifying new issues that arise due to changes in internal policy, new technologies or regulatory updates.

How can you assess third-party vendor risks? 

Third-party vendor risks can be assessed with a combination of attack surface assessments, cybersecurity questionnaires and both external and internal audits and evaluations. Together the cybersecurity questionnaires and attack surface assessments combine data from thousands of assets across your supply chain with validated answers from the questionnaires to deliver an accurate cyber rating of your suppliers. Employing these different methods along with ongoing monitoring can continue to assess third-party vendor risks throughout the lifecycle of its business relationship with an organization.

What are the three stages of the third-party vendor risk management lifecycle? 

1. Onboarding. Ensure that your organization is entering into business relationships with third parties that don’t introduce critical risks before they are integrated into your IT infrastructure. Due diligence, screening processes and explicit mentions of how data is to be handled and secured in the contract are essential elements of a secure onboarding process for third-party vendor risk management.

2. Continuous monitoring. Weaknesses, threats and vulnerabilities must be monitored throughout the relationship your organization has with its third parties. This is essential as cybersecurity threats evolve along with both your organization’s and third parties’ internal business processes, technology, onboarding and offboarding of different vendors, and updates to various regulations and standards that impact both your organization’s security and the security of your third parties.

3. Offboarding. The termination of a relationship also needs a thorough process for disengaging, deleting and transferring sensitive data and information formerly shared with your organization so that it cannot pose a future threat. It should also return physical connections and disengage from shared network connections, VPN access and other internal connections with your organization.