In part one of this series, we discussed the findings of CyberRisk Alliance’s Third-Party Risk: A Turbulent Outlook, noting that 95% of businesses surveyed reported partnerships with IT software, platform, or service providers. In part two, we delved into survey respondents' greatest concerns about third-party cyber risk. Here, we delineate the best practices and procedures exhibited by the companies identified as third-party cyber risk management “champions.”
Now more than ever, organizations are turning to outside vendors, contractors, and other providers to address the pandemic-prompted shift to remote operations and need to backfill talent in the face of the Great Resignation. With that outsourcing has come a widening channel of vectors through which threat actors infiltrate larger targets.
What best practices can minimize risk for companies that sub out aspects of their operations? In December 2021, Trava sponsored a CyberRisk Alliance survey of 301 IT and cybersecurity professionals whose organizations worked with third-party partners.
Of these respondents, the survey identified 214 as “champions” with superior third-party risk management best practices and procedures. Their industries varied: health care, financial services, retail, manufacturing, high-tech/IT.
“Likely driven by their large and complex supply chains and/or regulatory compliance mandates,” the survey suggests, “champions can be role models in helping others secure their organizations against attacks originating from their external partners, vendors, suppliers, contractors, and service providers.”
Protect your company from third-party risks with these seven best practices and procedures:
- Prioritize third-party risk management. Virtually all champions indicate that third-party risk management is either a critical priority (42%) or a high priority (53%) at their organization, and nearly half of them (46%) say they have significantly increased their focus on third-party risk management since 2020.
- Stay wary of third-party partner risk. While champions rely on their external partners to do business, they have few illusions about the IT security risks their third parties potentially impose. Respondents in this segment are significantly more likely than their non-champion counterparts to be concerned about third-party breaches disrupting their supply chain—half of all champions consider this one of their top three concerns in the next 12 months.
- Follow industry standards and guidelines. On average, champions are twice as likely than non-champion organizations to follow industry standard frameworks in their third-party assessments. For example, 48% of champions say they use the NIST Cybersecurity Framework, 28% use ISO 27001, and 27% use ISO 27036.
- Adopt multiple methods to vet third-party partners. Champions use various methods to vet their partners. For example, 46% of champions (vs. 36% of non-champions) report using an outside service that provides third-party risk assessment or scoring. Champions are also more likely than non-champions to use questionnaires (41% vs. 24%, respectively). Additionally, many champions use partner references (43%) as well as their own partner assessment methods (55%).
- Continually reassess third parties for risk. Nearly half (45%) of all champions reported they conduct ongoing assessments of their third-party partners after acquiring them—almost twice as many as non-champion organizations (25%), who generally tend to check up on third parties once or twice per year (53%).
- Strive for high supply chain visibility. Champions are about five times more likely (94%) than non-champions (18%) to believe their ability to track individual components of their supply chain is either critical or very important. Indeed, a large majority of champions say they can either see their most critical third-party direct dependencies (47%) or see a full map of all interdependencies across all tiers in their supply chain (31%). Additionally, champions are much more likely than their non-champion counterparts (86% vs. 47%, respectively) to believe supply chain visibility has become somewhat more important or much more important compared to two years ago.
- Adopt third-party risk technology. More than half of all champions (56%)—and twice as many non-champions — use a third-party risk management software tool or platform as their primary method for tracking and monitoring third-party risk. Their top purchase criteria for these investments (rated as “very important”) include reporting and compliance dashboards (36%); standardized vendor assessments and scorecards (32%); risk-factor reporting for their specific environment (32%); and standardized, repeatable formulas for sharing assessment data (29%).
Source: CyberRisk Alliance, Third Party Risk: A Turbulent Outlook: Findings from a December 2021 Research Study, January 2022. Download the report.