As businesses increase their use of outsourcing, organisations are entrusting more of their business processes to third-parties and business partners, so they can focus on what they do best. This means they must ensure these third-parties are managing both privacy and security well, or risk business uncertainties, legal liabilities and reputational damage. The risk of cyber attacks and data breaches from third-party vendors must be identified and mitigated.
While outsourcing has great benefits, if vendors lack strong privacy and security controls, your organisation is exposed to operational, regulatory, financial and reputational risk. Vendor risk management (‘VRM’) or third-party risk management (‘TPRM’) deals with the management and monitoring of risks resulting from third-party vendors and suppliers of products and services. As more cyber threats and ransomware attacks are being discovered than ever before, it is important to be ahead of the curb and manage these risks.
Here are some key things to know about vendor/third-party risk:
Risks might start small, but tend to move up
If an attacker is going to target a large organisation, they’ll want an entry point that won’t raise suspicion. This means using a valid entry point that they can access while seemingly legitimate. The attacker finds a third party that is less secure– often a smaller vendor with less stringent security protocols. They then leverage this access to break into a higher-value organisation. Sometimes they use a chain of suppliers, until they reach their target.
The Dutch data protection authority gives an real-world example of how an educational institution was told by a supplier (processor) that it had been the victim of phishing. This had resulted in unauthorised persons gaining access to the mailbox of an employee of this supplier. From that mailbox, new phishing mails were sent, including to the educational institution, gaining access to their inbox.
The attackers had access to the name and address, contact details and identification of thousands. This mailbox also contained several copies of passports of teachers.
You are responsible for your vendors
For end-customers, the complexity of third-party relationships can make the full scope of privacy and security risk difficult to comprehend. Even if a risk is due to a service provider's lax security, in the mind of the customer it will be the main organisation that bears responsibility, and it will be named in the media. They provided their data to you, not your suppliers after all. Furthermore, the organisation will often find it difficult to show that it took sufficient steps to manage its third-party risk through due diligence, and will oftentimes be considered to retain responsibility even if a third party handled its data. If a company takes every precaution internally, but fails to conduct due diligence by vetting the security of a vendor using a tool like a privacy and security assessment questionnaire, it may as well have taken no precautions at all.
What does effective vendor risk/third-party risk management look like?
To be effective in third-party risk management, you need to apply the same criteria to all vendors, adapted to the type of product or service they provide.