Creating trusted third-party ecosystems with a shared duty to security compliance
Managing third-party cybersecurity risk across inter-connected supplier ecosystems is becoming increasingly more daunting. Software and systems that used to be managed in-house are now routinely delivered as hosted services by multiple vendors and contractors. Other third parties frequently get brought in at departmental level, often bypassing contracting procedures, and have access to applications that hold sensitive data and business critical information.
A single mistake anywhere in the supply chain could result in data breaches, compliance fines, as well as revenue losses, reputational damage, and a wide range of negative business consequences for months, or even years, down the line.
It’s a burgeoning problem for many organizations, especially those that don’t have dedicated risk and compliance teams. However, it is possible to mitigate risk and build trust with suppliers by using technology to automate continuous monitoring -- and, at the same time, reduce labor-intensive compliance processes.
Instead of one-off manual checks, automation can handle repetitive tasks and constant verification against pre-configured frameworks. By implementing a ready-built compliance platform in conjunction with a manual component, organizations can consistently measure vendor performance against risk management policy standards, automatically highlight issues, and document results. For example, in the case of a vendor questionnaire, it begins with automation, but then enables individuals to thoroughly review and evaluate the provided responses, as well as the findings from any compliance audit report. These solutions provide support for standard privacy, data protection and security frameworks such as ISO 27001 and GDPR, plus the capability to customize ones related to specialist disciplines.
Leveraging these pre-mapped controls can save organizations up to 80 percent of their time compared to carrying out manual assessments of third parties. Features like flagging and risk scores measure supplier performance, and reports provide real-time visibility into how third parties are impacting the risk and security posture of an organization.
Cybersecurity as a moral obligation
Being able to share regular compliance performance reports with vendors not only helps to prevent issues and ensure accountability to specific security standards but can also strengthen trust. Suppliers that rectify issues promptly are more likely to benefit from long-term, productive relationships. Whereas those that don’t comply, and don’t make improvements, can be off boarded swiftly.
Similar to health and safety obligations, it’s important that all enterprises acknowledge their moral and contractual duty to protect each other’s data and privacy. Third parties should demonstrate that as well as having appropriate security controls in place, they are committed throughout their operations to protecting customers and business partners against cyberattacks.
While self-completed security questionnaires can be used to understand how a potential third party manages its own cybersecurity risks, penetration testing, and independent third party audits will provide more objective assessments of the third party’s security status and risk management processes.
Trust should never be assumed based on size, brand, or influence alone, as everyone is at risk. The entire ecosystem needs to be considered, extending to fourth parties that could enable hackers to bridge into other networks. Companies or individuals that pose a lesser risk may not warrant as much attention, but every external relationship needs to be reviewed. Then, if approved, added to an internal list of current suppliers.
Organizations must give clear, documented direction regarding any remediation steps needed for compliance, plus update the relevant contract and service level agreement to reflect these changes.
Continuous monitoring, improvement, and collaboration to minimize cyber risk and reaffirm trust should continue across all stages of the vendor or third-party lifecycle, typically divided into the following four stages.
Key aspects in the risk management lifecycle
1. Assessment and selection
When inviting vendors to bid or pitch for work the security questionnaire should be part of the brief or RFP. Instigate intensive assessments of vendors that have comprehensive access to systems. Consider making the final contract only after reviewing an audit report which will highlight if any areas have not met the requirements. Maintain a register of third-party suppliers and update it with new contracts.
2. Contracting and onboarding
Ensure every vendor or third-party signs a contract or agreement with compliance expectations and timelines clearly stated, including remediation of any issues identified in the selection process. Create and implement the internal controls needed to manage each vendor’s risk potential.
3. Monitor and review
Continuously monitor compliance against risk management policies. Make compliance part of performance reviews, but don’t wait to address problems. Fix issues when they arise or end a risky relationship as soon as feasible.
4. Termination and off-boarding
Whether a vendor relationship ends naturally, or as a result of non-compliance, eliminate risk exposure effectively. Ensure the vendor is removed from all systems, check they no longer possess sensitive information, and get confirmation of deletion of data, according to their contract. Update the third-party register accordingly.
Additionally, take the time to educate employees about the importance of cybersecurity obligations when engaging with third parties. Making security an integral part of the procurement process and vendor lifecycle management will help to ensure that it stays at the top of everyone’s mind, wherever they fit into the supply chain.
Alev Viggio is Director of Compliance, Drata.