Three Key Steps to Reduce Third-Party Risk
Cybercrime is an illicit business market with over $1.5 trillion in annual revenue. To put this into perspective, that’s over 37% of the size of the global technology market. Cybercriminals are looking to make as much money as they can with the least risk and effort.
This is evident with the continuing increase in phishing and third-party breaches. Third parties are companies that provide services to or on behalf of the company. This can be anything from data processing to heating and air conditioning. Hackers target these companies due to their access to sensitive information and/or connections into the company. It’s often easier to hack a third party than the company directly.
Most companies do not have an effective view of their third parties and mechanisms to manage their risk. By taking a couple of key steps this can be significantly improved.
1. Create and implement a Security Risk Assessment Questionnaire.
A Security Risk Assessment Questionnaire is a list of questions that provides a high-level overview of a company’s cyber security risk. It should be completed by all service providers and any companies you’re considering doing business with.
Points of Guidance for the Questionnaire:
- Right-sized for your organization’s risk profile
- Include applicable compliance and regulatory questions
- Leverage automated cybersecurity risk calculations for consistency and a quicker review
- Renewed on a timeline based on the risk profile to see if things change (such as a year)
- Report into a centralized register
Each entry should be reviewed by a security professional and a cyber security review call should be conducted for any companies with higher risk. This should not be an onerous process, but an expeditious review.
By understanding the level of risk, the company can make better business decisions which may include selecting a different service provider, contractual terms, or compensating controls. This enables the company to maintain its competitive advantage while managing its risk.
2. Perform security risk assessments for higher risk and critical service providers.
The Security Risk Assessment Questionnaire provides a high-level overview of a company’s risk, but it’s important to do a deeper review for a select number of higher risk companies and critical service providers. The number of third parties and depth of complexity is dependent on your company’s risk profile and compliance requirements. It should include assessments against security standards and may include on-site reviews.
By further reviewing your higher risk and critical service providers, you can identify and address any critical risks before they lead to a breach. Security assessments help third parties improve their cyber security and reduces your company’s overall risk.
3. Restrict third-party access to systems, networks, and resources.
A common critical risk is third parties with direct unfettered access to a company’s networks. These connections are often implemented in order to reduce the complexity and level of effort for development projects, but these same connections can be leveraged by bad actors. Third-party connections and the systems they are connecting to should be limited, secured, and segmented from other networks and resources.
As always, third party access to systems, network, and resources should be limited to that needed to provide the service.
With the emphasis on securing a company’s internal systems and networks, it can be easy to lose sight of third-party risks. By taking these key steps, you’ll be better able to manage them and significantly decrease your risk of a third-party breach.
August 15, 2019 | Richard Jankowski
