How Well Do You Know Your Third Parties?
by Mark Herrlinger
How well do you know your third parties? Are your records accurate and up-to-date?
Modern economies rely on third parties, but they also pose a significant cyber risk. In fact, 67% of data breaches stem from third-party compromises. Third parties encompass vendors, partners, suppliers, contractors, service providers, and consultants– basically, any company or individual with whom you have entered a business relationship.
Some of the many challenges of having a large third-party network is maintaining a current inventory of who they are. After all, if you don’t know which third parties are in your network, you can’t understand your potential risks and vulnerabilities from these relationships. For example, nearly half of the companies impacted by the SolarWinds incident didn't even know they were using SolarWinds. The last thing you want is to be notified by a third party--that you didn’t even know you were using--that they had a breach. The goal here is to be proactive and informed.
Correctly Identifying Each of Your Third Parties
Third parties should be systematically and continuously tracked, beginning with the full legal name of the registered business, company, or individual. To avoid expensive errors caused by ambiguity, never track them by their brand name, trademark name, alternate names, DBA names, software titles, websites, or other potentially confusing identifiers.
This table shows commonly mistaken third-party names (the brand) vs. the parent company that owns them. Referring to a third party by the brand names can create confusion and error when it’s time to evaluate them.
|
Brand Names |
Parent Company |
|
Google Drive |
Google LLC (Parent: Alphabet Inc.) |
|
SharePoint |
Microsoft Corporation |
|
MacBook |
Apple Incorporated, |
|
Gillette |
The Procter & Gamble Company |
|
Photoshop |
Adobe Systems Incorporated |
|
Unix |
The Open Group |
|
Exxon |
The ExxonMobil Corporation |
Identifying the exact third-party company and its impact on your business during a data breach is not ideal. Thus, it's essential to conduct due diligence systematically before entering into a third-party relationship to prevent such scenarios. As an example, there are 8,878 registered companies with “Fidelity” in the name. If you only have “Fidelity” listed as your third party, would you know which one it is?
Establishing Cyber Relevance
When conducting a cyber risk analysis of your third parties, it is essential to establish the third party’s cyber relevance. For example, a cloud storage provider that hosts a company's intellectual property is highly valuable and cyber-relevant, given that they hold the company's most important data. But what about a small business that cares for your office plants? It might be easy to discount them as not cyber-relevant since they do not maintain any company data. However, you might want to rethink your classification if they have after-hours access with minimal supervision to areas where secure data is housed or accessed. This seemingly non-cyber-relevant company could become very relevant with a simple USB thumb drive from a malicious contractor used by your third party.
Let’s look at another scenario. What about a travel services company maintaining records on every executive’s travel schedule? Could this data have value in the wrong hands?
Or how about an HVAC services company or even a company that monitors fish tanks in casinos?
These are all examples of high-profile, multimillion-dollar data breaches through a third party. The point here: your third parties' cyber relevance needs to be evaluated carefully.
Performing Your Due Diligence
When analyzing your third parties, it is important to examine the product or service they provide and how your company interacts with them. Your objective is to understand the interaction they have with your:
- Applications
- Business Processes
- Data, Devices
- Digital Identities
- Facilities
- Networks
- People
The more significant the interaction they have with your company, the higher the risk they present and the stronger the due diligence you need to perform to ensure that you and the third party have the appropriate controls in place. Third parties with a high interaction with your company will have a more significant, more costly impact on you should they experience a security incident.
Because the risk of digital fallout is so high, third-party data gathering and due diligence should be integrated into your procurement process. Before approving a new third party, a minimum of the following should be obtained and tracked:
- Full Legal Name of the third party entity, including corporate ending such as Corp., Group, Inc., LLC, LTD, PC, etc.
- The full legal name of the parent company of your third party (if applicable).
- Third party’s full headquarters address and primary phone number.
- The primary domain name (used for numerous security ratings and security assessment companies).
- Product or service the entity provides your company, including how/when the product or service is used.
- At least two contacts at the third party that you can reach out to for questions on cybersecurity controls or in the event of a security incident. (Phone and email)
- Inherent risk ranking. CyberGRX provides Auto Inherent Risk insights to automate the process, replacing the manual work of determining your inherent risk.
- Residual risk ranking (especially if they interact significantly with your company’s data, facilities, people, applications, business processes, networks, devices, and/or digital identities). CyberGRX Predictive Risk Profiles are especially effective, with up to a 91% accuracy rate.
- The department and internal contact of the primary internal stakeholder(s) for the product or service.
- Impact to you if the product or services provided by the third party were immediately severed due to a security incident.
- Financial and contract Information, including automatic renewal dates.
Ideally, the above should be reviewed and updated annually as a part of your formal contract renewal process.
Cyber Risk Visibility Beyond the Immediate Organization
Of course, evaluating third parties is a time-consuming process, and it’s not possible or practical to assess each one every year. Third-party risk management platforms like CyberGRX are instrumental for gaining portfolio-wide risk visibility and awareness to determine which of your third parties pose more significant risks and need deeper evaluation.
CyberGRX also provides organizations with enhanced cyber risk intelligence, enabling security practitioners to make well-informed decisions regarding vendor access, third-party security control implementations and remediations, and even supplier decisions on a larger strategic level.
Mitigating Third-Party Risk
In short, as cyberattacks increase in volume and sophistication, it’s only a matter of time before critical third parties in your ecosystem succumb to security failures, if they haven’t already. With the proper third-party risk management measures in place, organizations are better positioned to thrive when digital interdependence is a standard mode of business operations.
Effective third-party risk management starts with knowing who your third parties are and how your company engages with them, then identifying who the risky players in your portfolio are, so you can proactively address them. By doing our part in identifying and remediating risks, our digital world is safer for all of us.
For more information on CyberGRX and our risk Exchange platform, we invite you to book a demo.
