Third Party Risk Management and Assessment – Know Where You Stand

Vendors are causing too much trouble for companies: reports show supply chain attacks are now more prevalent (and dangerous) than malware is. That turns third party risk management into a priority for your business, though most people wouldn’t know where to start with that. So, how can you start with TPRM the right way?

Third party risk management starts with threat modeling. After that, vetting vendors, creating an appropriate onboarding process, and monitoring are a must. Other areas, such as fourth party risks, should be taken care of too. TPRM prevents cybersecurity-related risks, among other things.

One company does business with countless vendors – and sometimes, they don’t realize the risk associated with that. TPRM puts that in perspective and helps you figure out who you can trust and who you must part ways with. The only way to make that happen is to find out what qualifies as risky.

Table of Contents

What Qualifies as Third Party Risk?

Third party risk is any issue that could come from third parties, like vendors and suppliers. In cybersecurity, third party risk commonly refers to supply chain attacks and similar elements, where threat actors compromise a vendor to attack their target (e.g., your company).

So, what’s third party risk management? It’s the practice that allows your company to prevent these problems from happening. You’re practicing TPRM whenever you take a closer look at the company you’re doing business with to see if they’re running a secure ship or a soon-to-be-sinking one.

The best way to understand these issues is to see the company areas third parties can compromise.

Company Areas Affected by Third Party Risk

  • Cybersecurity. Supply chain attacks are the go-to example of third party risk. We’re talking about one of the worst issues companies can face today. Imagine buying products from a compromised company: you’ll soon install malware-infected apps or software without thinking too much about it. Figuring out the right way to do business with secure companies and limiting their access is key.
  • Compliance. A compromised third party vendor could put your company’s compliance at risk. The main gist behind cybersecurity compliance is to keep data safe, though that’s borderline impossible if threat actors have access to your network via a provider or supplier. The law doesn’t care if you made a mistake or a vendor did – they’ll hand you million-dollar fines for your trouble.
  • Operations. Your company will rely on third parties to get a lot of the things we take for granted, such as electric power and an internet connection. There are huge (often overlooked) risks there: a risky or unreliable power company can lead to several outages throughout the year, which could lead to huge problems, such as crashing data centers.

Common Third Party Threats

Supply Chain Attack

A supply chain attack is an elaborate way to target one company or as many companies as possible. It requires a threat actor to compromise a vendor, so the compromised vendor can then infect their clients with malware.

How can threat actors perform a supply chain attack? There are countless ways they can manage to do that. For example, they can infect an open source repository, hoping the target vendor won’t notice that when they use it to develop their software.

Impostor Vendor

A subset of supply chain attacks come in the shape of impersonating vendors (instead of compromising them). In this scenario, a threat actor will create a fake company full of fake products to sell. Their goal is not to make money but to infect companies with their malware.

How can threat actors impersonate vendors? They often steal software from other companies, infect it with malware, repackage it, and put it for sale. Unsuspected customers will agree to do business with their (fake) company – and get infected in the process.

Does it sound too far-fetched to work? It isn’t: malicious actors disguised as vendors are one of the rising issues in cybersecurity.

Is Third Party Vendor Risk Management Necessary?

Every company wanting to avoid noncompliance fines or the cost of a data breach should put a lot of emphasis on third party risk management. Malicious actors work several angles to target companies – and supply chain attacks are on the rise because they tend to work best.

TPRM will be equal to malware prevention and detection. Has anyone ever doubted that you need to stop viruses and Trojan horses from accessing your devices? Of course not! Managing third party risk can do as much harm as malware.

However, malware detection requires you to find the right software, install it, and update it. Third party vendor risk management is more complicated. You’ll find our best practices below, so you can get started with TPRM today.

5 Third Party Risk Management Best Practices

1. Start With Threat Modeling

Burning out is common in all areas of life, third party risk management included. For that reason, it’s important to figure out where potential risk is – instead of having to take an exhausting look over every company you do business with.

How can you threat model the right way? Create three different risk tiers: low risk, medium risk, and high risk. The tier you assign to each vendor depends on the company you’re running and the service you’re paying for.

For example, your cloud provider safeguards your data, so they’re a high risk assignment. However, the company you buy paper from has little chance of causing a data breach, so they’re low risk.

2. Vet Your Vendors

You now have a long list of companies you have to inspect. Vetting your vendors should be an exhaustive process where no stone is left unturned: check their history, the way they do business, the clients they do business with, who they partner with, and so on.

Let’s take your cloud provider as an example. Have they suffered any data breaches recently? Do they use proprietary software to protect their company? Do they have an in-house security department, or do they outsource that? Answering these questions will shed light on whether you can continue doing business with them or look elsewhere.

3. Focus on Fourth Parties Too

An element often overlooked in third party risk management is fourth party risk. In other words, look at the companies that the third parties (associated with you) are doing business with.

It’s not too far-fetched to believe your vendors will get compromised via their vendors. So, a supply chain attack may start with two degrees of separation from you – but will still affect your company nonetheless.

What can you do to prevent fourth party risk? Remember to take a look at the companies third parties are doing business with. At the same time, implement a least-privilege principle whenever possible.

4. Follow a Least-privilege Principle To Reduce Risk

A great tool to decrease the attack surface (and the many ways hackers have of attacking your company) is to enforce a least-privilege principle company-wide, meaning everyone will have as little network access as possible.

In other words, employees and vendors will continue to do their job – but will only access the necessary parts of the network to do that job. Anything else should be off-limits.

At the same time, authorizations would work the same way: employees and vendors should have the power to fulfill their role – and nothing else.

5. Continue to Monitor Everyone

It’s easy to pat yourself on the back for a job well done after finding out which companies are too risky to do business with (and even unmasking an impostor vendor in the process), though that doesn’t mean the work is over.

You have to monitor your vendors the same way you monitor employees. It’s not about control – but about spotting suspicious activity before it’s too late.

For example, imagine you thoroughly vet all your vendors. You’re satisfied with the result. A week from that moment, a threat actor compromises one of your vetted vendors to perform a supply chain attack against your company. The only way to spot that is through continuous monitoring.

Can You Close the Door on All Vendors?

It’s impossible to run a company without hiring vendors and suppliers. The smallest entrepreneur still uses software, pays for the internet, and has several bills to put up with. Most companies want to grow after a while, meaning they’ll have to face growing risks too.

In other words, it’s impossible to decrease third party risks by closing doors on all vendors. You need them to run your business! That doesn’t mean you should throw caution into the wind and allow anyone into your network.

Fortunately, you can vet your vendors, grant them the least privilege possible, and monitor them. That way, you can ensure you’ll have no issues down the line.

Conclusion

Third party risks are too many to count and mention, though that doesn’t mean you can’t have a simple prevention policy in place: vet your vendors, follow a least-privilege principle, and monitor third party activities. At the same time, don’t lose sight of other dangers, such as fourth party risk. Contact us here at U.S. Cybersecurity for a risk assessment.

Herman McCargo

Herman is a Microsoft Certified Security Engineer and Cybersecurity Specialist. He’s been in the technology field for over 20 years and has expertise working with the most critical technology infrastructures. He has a deep understanding of cyber risks, threat mitigation and prevention, and overseeing infrastructure.