Third-Party Cyber Risk: Managing IT, Compliance and Data Risk Throughout the Vendor Lifecycle

Use these best practices to identify, manage and reduce cybersecurity risks at every stage of the vendor relationship.
By:
Brad Hibbert
,
Chief Operating Officer & Chief Strategy Officer
June 13, 2022
Share:
White paper managing it non it third party risk 0722

Third-party cybersecurity risk has become a serious challenge for organizations in recent years. Large-scale third-party data breaches include SolarWinds, Kaseya, Mercedes and Okta. As organizations have increasingly adopted cloud and off-premise IT infrastructure, the difficulty of successfully managing third-party cyber risk has grown exponentially. For every third party a company shares data with, or provides system access to, there is a web of interdependent fourth and Nth parties that also may have access to that data.

Third-party cyber risk affects every organization from the small IT service provider that unintentionally distributed ransomware to its customers, to the enterprise organization that suffers a massive data breach traced to an HVAC vendor. This post explains how organizations can successfully manage third-party cyber risk throughout the vendor risk lifecycle.

What Is Third-Party Cyber Risk?

Third-party cyber risk is defined as a potential exposure in the confidentiality, integrity, or availability of IT infrastructure and data that an organization takes on as a result of working with a vendor, supplier, or other business partner. Third-party cyber risk can take numerous forms depending on the role of the third party. Some common forms of third-party cyber risk include:

Third-Party Data Breaches: Third-party data breaches have become incredibly common. As cloud services, SaaS application usage, and use of third-party security and IT contractors have increased, so have the risks associated with data breaches. Organizations like Marriott, Volkswagen, and Capital One have all suffered data breaches in recent years as a result of the use of third-party contractors, applications, or IT infrastructure.

Compliance Issues: Numerous compliance requirements address third-party cyber risk. Regulations such as HIPAA, CMMC, GDPR, CCPA, and others create direct controls for how organizations can share data or provide third-party access to data. Failure to understand and meet compliance requirements can cause enormous legal, regulatory, and public relations issues for organizations.

Ransomware & Denial of Service Attacks: Ransomware hasn’t traditionally been seen as a risk stemming from third parties. But in recent years malicious actors have increasingly targeted software applications used by hundreds, or even thousands, of companies in an effort to distribute ransomware. According to the 2022 Verizon Data Breach Investigations Report, ransomware was one of the top methods used by attackers in third-party data breaches covered by the report. Third-party cyber risk emanating from software providers that require privileged access to IT infrastructure should not be discounted.

Understanding Profiled, Inherent, and Residual Risk in the Context of Third-Party Cyber Risk

Let’s start with a quick recap of a concept that is crucial to understanding and managing third-party cyber risk. Third-party cyber risk can broadly be classified into three distinct categories based on a vendor or supplier’s characteristics, the services they provide to your organization, and the stage of your relationship with them.

Profiled Risk: Profiled risk comes from a combination of company information, geographic location, industry, and regulatory requirements. For example, third parties located in politically volatile countries, those that are typically targeted by cyber attackers, or those that are highly regulated will carry a higher profiled risk. As well, a third party’s financial status and health and reputation can be included in profiled risk, as poor marks in these areas can signal an inability to deliver on contractual promises.

Inherent Risk: Inherent risk is more specific to the service performed and is classified as the risk that the third party poses to your organization prior to the application of controls. Inherent risk is calculated by understanding the third party’s criticality to business performance and operations; its location(s) and related legal or regulatory considerations; the level of reliance on fourth or Nth parties; exposure to operational or client-facing processes; and interaction with protected data or internal systems. Organizations with high levels of access to sensitive data and infrastructure have higher inherent risk than those without.

Residual Risk: Residual risk represents the remaining risk posed to an organization by a third party after mandatory controls are implemented. Risk management teams should carefully consider and define acceptable versus unacceptable levels of residual risk or compensating controls.

On-Demand Webinar: The 5 Most Important Third-Party Cyber Risks

Join Dave Shackleford, founder of Voodoo Security, for a webinar where he highlights a process that you can use to prioritize third-party cyber risks.

Identifying Third-Party Cyber Risk During Sourcing and Selection

Some degree of third-party cyber risk will be present with almost any vendor you do business with, even those with extremely minimal access to IT infrastructure or sensitive data. However, identifying vendors that expose your organization to unnecessarily high levels of cyber risk is critical to reducing the chances of a data breach or security incident further down the line. Here are a few questions to ask potential vendors, particularly those that have high profiled risk.

  • Does the organization have a formalized cybersecurity program aligned with a known cybersecurity framework such as NIST CSF or ISO 27001?
  • Has an outside auditor or party validated that the security program is fully compliant with the standard?
  • Is the organization already fully compliant with applicable legal requirements to work with your organization’s data? (e.g., HIPAA, GDPR, CCPA)
  • Has the organization ever been fined for a cybersecurity compliance violation?
  • What is the organization’s reliance on 4th or Nth parties?
  • Does the organization have a history of data breaches or publicized security incidents?
  • Is the organization located in a country that may force them to disclose sensitive corporate data contrary due to contractual obligations?

Mitigating Third-Party Cyber Risk During Intake and Onboarding

Identifying vendors that pose an acceptable degree of risk is only the beginning. Intake and onboarding is a crucial phase to enable both risk identification and reduction opportunities throughout the lifecycle of the contract.

Write Cybersecurity into the Contract

Include specific data storage and cybersecurity requirements in your contract with the vendor based on compliance needs and profiled risk. Standardized clauses should cover when and how the vendor can share data with their third parties (i.e., your fourth parties). In addition, consider adding requirements to the SLA regarding encryption standards, identity and access management, and data retention.

Score Inherent Risk

Inherent risk scoring is critical to adequately managing third-party cyber risk. As mentioned above, an organization's inherent risk is the risk they pose prior to the implementation of specific controls required by your organization. Below are a few tips you can use to enhance your inherent risk scoring approach:

Don’t Take a One-Size Fits All Approach: Inherent risk scoring should be based on an organization's profiled risk. Vendors should be tiered based on the data and infrastructure that they have access to. Failure to appropriately tier vendors leads to wasted effort focusing due diligence on the wrong vendors, while those that may pose substantial organizational risk don’t receive enough attention.

Consider Vendor Location When Scoring Inherent Cyber Risk: Vendors based in specific locations may be partially owned or under specific data sharing requirements by governments, which may supersede the vendors' contractual obligations to your organization. Carefully consider vendor location and regional politics when determining the amount of inherent risk that a vendor poses.

Bonus Tip: Using a dedicated third-party risk management solution can enable you to tier vendors based on custom-built criteria.

Identify Fourth and Nth Party Vendors

If the vendor you are onboarding has a high degree of inherent risk based on their data and IT access, it may be worth examining their extended supply chain. Pay particular attention to organizations that work on their IT infrastructure or have access to data that they store. Understanding fourth and Nth party usage helps to inform your overall vendor risk management program, as well as to focus your third-party monitoring approach throughout the contract lifecycle.

Assessing and Remediating Third-Party Cybersecurity Risks

Assessing and remediating cybersecurity risks emanating from third parties is crucial to your broader TPRM program. Here are a few tips you can use when assessing and requesting remediation from vendors:

Map Compliance Requirements to Vendor Controls

If you have obligations under HIPAA, GDPR, NYDFS or other regulations, you must ensure that the vendor meets necessary controls based on the type of data they are handling. Utilizing third-party risk management software like Prevalent can make this step dramatically faster by automatically mapping cybersecurity frameworks used by the vendor to your organization's compliance requirements.

Don’t Be Afraid to Ask for New Controls or Outside Audits

If the organization hasn’t had an outside organization certify that they are compliant with a well-known cybersecurity standard, don’t be afraid to request that they undergo an audit based on a framework (or compliance requirement that your organization falls under). It’s far better to lose a potential contract than to find out later that their self-certification of HIPAA compliance was exaggerated and your organization is liable for a breach as a result.

Understand Processes Around Fourth and Nth Party Data Sharing

You should have a general idea of what outside organizations your vendor is using based on their answers during the intake and onboarding phase. As your organization conducts its formal vendor risk assessment, request the specific policies and procedures your vendor has for sharing data or access with fourth parties. If they don’t have formalized policies and procedures, request that they create them.

Regularly Assess and Remediate Risk

Risk isn’t static. The cyber risk that a vendor poses to your organization will likely change significantly throughout the contract lifecycle. Scope creep can result in vendors taking on additional jobs as they earn trust, which can also allow them to access additional resources that weren’t accounted for in the initial risk assessment. As the contract with the organization evolves, regularly reassess vendor risk to ensure that residual risk remains within acceptable parameters.

Utilize a Shared Library

To accommodate resource constraints, many organizations – especially those with a solid vendor tiering plan – choose to leverage completed content already submitted and shared within an industry exchange. These vendor exchanges are self-fulfilling prophecies – the more vendors that participate, the greater the overlap with other enterprises. This speeds the risk identification and mitigation processes and minimizes the time required to spend collecting data.

The NIST Third-Party Compliance Checklist

The NIST Third-Party Compliance Checklist is a 30-page guide reveals which TPRM practices map to recommendations outlined in NIST SP 800-53, NIST SP 800-161, and NIST CSF.

Read Now
Feature nist compliance checklist 1021

Continuous Monitoring for Third-Party Cyber Risk

Even if you regularly conduct risk assessments to monitor for third-party risk, rapid changes to a vendor's risk profile can slip by. Continuously monitoring for changes to your contractor's cybersecurity posture is critical to effectively managing third-party cyber risk. Here is a brief list of sources worth monitoring throughout the vendor lifecycle to ensure you don’t miss a significant security event.

Dark Web Forums

When targeting large organizations, malicious actors will often coordinate and plan attacks on forums only accessible to authorized users using the TOR network. Monitoring dark web forums for mentions of third- and fourth-party vendors can enable you to rapidly identify potential cyberattacks that are in motion or have been executed against third parties.

Dark Web Marketplaces

Dark Web marketplaces like the Genesis Market sell botnets containing browser fingerprints that can be used by malicious actors to bypass 2FA and other controls. Monitoring these marketplaces can enable rapid identification if third-party access is for sale, alerting you to a potential data breach in progress. In addition, malicious actors often sell account access and stolen credentials on dark web marketplaces. These can then be used by other malicious actors to facilitate account takeover and phishing attacks. Monitoring these marketplaces can help you to better understand vendor cyber risk. Some questions to ask:

  • Are credentials associated with the vendor or its solutions for sale on the Dark Web?
  • Are there any botnets for sale that contain subdomains that would indicate that the victim is an employee of a vendor?
  • Has the vendor already identified credentials for sale or is their external risk posture largely unknown to them?

Pastebin & Clearweb Sites

Not all data leaks and stolen accounts are on the Dark Web. In many cases, employees will accidentally leak third-party data that will appear on Pastebin and other public forums. To compound these challenges, malicious actors have also been known to dump files containing thousands of credentials on public access forums. Monitoring Pastebin and other public forums for proprietary information, stolen third-party credentials, and other sensitive data is a key part of conducting continuous third-party monitoring.

Vulnerability Databases

Vulnerability databases, such as the MITRE CVE database, can help your organization to identify exposures in software developed or used by your third-party vendors. Utilizing third-party risk management software can enable you to automatically identify third- and fourth-party software vendors with potential vulnerabilities.

Data Breach Databases

Another important part of third-party cyber risk monitoring is searching for vendors in databases of reported data breaches, like those from Privacy Rights Clearinghouse and the State of California. Even a limited-scope data breach should prompt you to assess the risk to any data shared with the third party. It may also call for a review of applicable regulatory compliance requirements.

Automating the Monitoring Process

Third-party risk monitoring software can help to automate the process of identifying and quantifying vendor cyber risks. For instance, our risk monitoring solution enables you to reveal third-party cyber incidents for 550,000 companies by monitoring 1,500+ criminal forums; thousands of onion pages, 80+ dark web special access forums; 65+ threat feeds; and 50+ paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases.

Third-Party Cyber Risk & Service Level Agreements

Successfully managing SLAs across departments and vendors is crucial to effectively managing third-party cyber risk. Vendors need to be regularly assessed to ensure that compliance requirements are being met, and that additional compliance burdens haven’t been incurred through scope increases. Here are a few key considerations for third-party cyber risk management when managing SLAs.

Automate Where Possible

Manually reviewing hundreds of contracts across dozens of departments and potentially thousands of vendors is challenging to say the least. Using third-party risk management software can enable you to automate key elements of SLA management with built in workflow and remediation.

Write Cybersecurity into the SLA

Ensure that good cyber practices are written into the service level agreement. Specific considerations around data handling, contractor security requirements, staffing background checks, and other provisions can help ensure that third-parties are utilizing effective risk reduction techniques while providing services.

Offboarding, Termination & Mitigating Third-Party Cyber Risk

Not all data breaches happen during a contract. Offboarding and termination represent the final, critical stage in mitigating cyber risk posed by third parties. Many organizations with a lack of maturity in offboarding end up leaving vendors with access to critical data, accounts, and IT infrastructure. Below are a few best practices to use when offboarding vendors.

Keep Compliance in Focus

Ensuring compliance with applicable laws and regulations is key to successfully offboarding vendors. Assess your organization's compliance requirements and ensure that vendor offboarding, data deletion, and validation are all performed in accordance with applicable laws and regulations.

Third-party risk management platforms will have built-in reporting that aligns with these regulatory obligations, which can simplify the compliance process. Many organizations assume that data destruction has occurred upon the contract ending. Take the time to manually validate that all sensitive, proprietary, and regulated data in the vendor's possession has been destroyed.

Validate That Access Has Been Revoked

Keeping up with vendor access, particularly vendors that work across multiple departments, can be difficult. However, it is imperative that you take the time to manually check each department and ensure the vendor has been fully and successfully offboarded across the organization. Leaving a vendor with access to IT infrastructure, accounts, or sensitive information can leave you vulnerable to a data breach or compliance violation months or even years down the road.

Don't Forget Physical Infrastructure

Many organizations rightfully focus on ensuring that vendors no longer have access to cloud servers, databases and SaaS applications. But it’s almost as imperative to not lose sight of the physical security of IT infrastructure and assets. Failing to revoke credentials or inform security teams that a vendor is being offboarded can result in security lapses, and potential breaches should an employee of a third-party vendor act in bad faith.

Managing Third-Party Cybersecurity Risk Throughout the Vendor Risk Lifecycle

Successfully mitigating third-party cybersecurity risk to an acceptable level throughout the vendor risk lifecycle can be daunting. Third-party data breaches continue to mount as new vulnerabilities surface and as attack techniques evolving. Recent events such as the war in Ukraine and heightened geopolitical instability have compounded these risks.

Utilizing a third-party risk management solution can dramatically reduce the effort required to successfully mitigate risks stemming from third-party IT access. The Prevalent Third-Party Risk Management Platform makes navigating the vendor lifecycle dramatically easier. Learn more about our approach by reading our best practices guide, Navigating the Vendor Risk Lifecycle: Keys to Success at Every Stage, or request a demo today.

Tags:
Share:
2014 04 10 Headshot Brad Suit
Brad Hibbert
Chief Operating Officer & Chief Strategy Officer

Brad Hibbert brings over 25 years of executive experience in the software industry aligning business and technical teams for success. He comes to Prevalent from BeyondTrust, where he provided leadership as COO and CSO for solutions strategy, product management, development, services and support. He joined BeyondTrust via the company’s acquisition of eEye Digital Security, where he helped launch several market firsts, including vulnerability management solutions for cloud, mobile and virtualization technologies.

Prior to eEye, Brad served as Vice President of Strategy and Products at NetPro before its acquisition in 2008 by Quest Software. Over the years Brad has attained many industry certifications to support his management, consulting, and development activities. Brad has his Bachelor of Commerce, Specialization in Management Information Systems and MBA from the University of Ottawa.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo