The Risk of Third-Parties & Protecting Your Network

Virtually every business in the world has to deal with third parties. Whether you want to host something in the cloud or want a collaboration tool for your remote workforce, it’s much more feasible to seek a third-party product or service instead of reinventing the wheel. It will make your organization more agile and also guarantee better performance and availability. But opening your network to external entities also creates tons of new security risks and considerations.

A 2020 report stated that 53% of cyberattacks in the last two years stemmed from third-party integrations. So, how do you gauge the level of risk while signing a contract with a vendor? What security controls must you implement, and what sort of visibility should you have over their activities inside your system?

Incorporating Third-Party Risk Assessments

A senior IT executive shared that there was no third-party risk assessment policy in place when they first arrived at their current company. Any business unit leader had the authority to bring in a new vendor of choice whenever they wanted, without any scrutiny. They had to strive to build a process to identify and mitigate third-party risk, which sometimes even led to better negotiations. They used security as one of the qualifiers for dealing with vendors. In phase 1, they started with an assessment plan called Standard Data Sharing and Safeguard Agreements, which stipulated:

• Do vendors have the ability to read and write data to our system?
• Do they have privileged access?
• How is the data shared? Is it ad-hoc, or do they have a permanent integration, allowing them uninterrupted access?  

If the vendor scored high for risk based on this initial assessment, they would ask them to fill a more detailed supplier security assessment questionnaire.

Challenges While Evaluating Third-Party Risk

A speaker mentioned that to fully assess a vendor for risk, you need to look within their organization. For example, what access will they have to our employees, systems, and data? What activities will they perform within our systems? Can we audit those activities? What level of privileges will they have, and can they be revoked immediately, if required? However, a lot of assessments these days don’t cover these factors.  

Another problem with vendor assessment is that companies rely too heavily on reports and certifications like SOC2 and ISO-27001. Just because a vendor has various certifications doesn’t mean that everyone within their organization is compliant and doesn’t warrant a risk assessment.  

Lastly, what if a vendor shows up as high risk? What if they are unable to cater for the ten non-conformities within six months, as initially agreed? Do you have the relevant clauses in the contract to break the agreement and part ways? More importantly, do you have the buy-in from the rest of the organization to end a contract with an important supplier?  

Key Points to Remember

A participant posited that limiting vendor access by a time period (e.g., 30/60/90 days) can go a long way in ensuring that no external party has indefinite access to internal resources. Moreover, following the principle of least privilege is also important; only grant absolutely necessary rights and privileges, giving none by default. Identify the nature and extent of rights required by different job roles/designations, and grant accordingly.  

‍