A 19 year old was able to open windows and doors, crank up the radio, start keyless driving and more on numerous Tesla cars.
How could he possibly do this? It was not due to vulnerabilities in the main Tesla software. Instead, this was achieved by exploiting a vulnerability in a third-party app.
Unauthorized access to key functionality is bad enough. However, by taking advantage of security weaknesses in a third-party app he was also able to retrieve substantial amounts of sensitive data.
Your Data Is At Risk
Bottom line is that if your company uses third-party vendors and apps then your business and your data is at risk.
A third-party risk management (TPRM) program provides a key defense against third-party vendor vulnerabilities. Your vendors may have access to sensitive data and unless you manage them you do not know what security controls they have in place. A breach in their security can result in interrupted operations, a financial loss, and perhaps most significantly a reputational loss.
This article provides an overview of third-party risk, the goals and components of a TPRM program, as well as a review of assessment schedules and how to keep on top of vendor risk between assessments.
What is Third-Party Risk
Risk is introduced when you use a third-party vendor. They may have access to sensitive data or your key intellectual property.
Without proper onboarding and monitoring, you would be unaware of the level of security (if any) your vendor has in place. You would also not have visibility into the effectiveness of the security controls they have chosen to implement.
A vulnerability in their system could allow an attacker to gain access to your systems. If there is a vendor related breach, your data could be compromised, potentially resulting in financial as well as regulatory issues for your organization.
As the use of third-party vendors has increased so has the number of cybersecurity attacks. To protect your organization, a robust TPRM program is essential.
What are the goals of the TPRM Group
A TPRM team is responsible for managing third party vendor risks within your company. This involves an end to end set of processes that cover your full vendor life cycle from initial selection to final offboarding from your organization.
The goal of the TPRM team is to help the business make informed decisions about the level of third party vendor engagement that makes sense from a risk-reward perspective. It also has the goal of minimizing the risk that a third party vendor would be a source of data breaches, loss of key intellectual property or disruption of business operations.
You Need Visibility into Security Posture of Vendors
By providing visibility into the security posture of vendors, the TPRM team can reduce the likelihood that the wrong vendors will be selected from a security perspective. They also can reduce the impact of potential issues by identifying compensating controls as well as the need for a company’s vendors to implement timely remediation plans.
Key Components of a Third-Party Risk Program
The third-party program consists of a comprehensive set of processes that start with classifying the level of risk associated with each vendor. Factors for determining the level of risk include:
- Sensitivity of data involved
- Level of vendor access to networks and resources
- Level of administrative privileges involved - local vs. root account access
- Extent or size of vendor implementation
- Service level agreements involved
- Whether service or functionality is critical to company operations
Assign a Risk Level
By rating each element of the engagement and assigning an associated risk level, a composite risk score for that vendor can be determined. Once this process has been performed for all of an organization’s vendors, a relative risk ranking can then be determined with individual vendors being assigned a critical, high, medium, or low rating.
The next component, after determining the level of specific risk, is to define the frequency and depth of the assessment to be performed.
Given the limited time and resources most organizations operate under, a risk based approach typically makes sense. To that end you would apply the most resources to your highest risk vendors and assess them the most frequently and to the greatest depth.
A common assessment schedule your organization could consider would be to assess:
- Critical vendors every 6 months
- High risk vendors every year
- Medium risk vendors every 2 years
- Low risk vendors every 3 years
In this way you have broad coverage so no vendor goes without detailed review. However, focus is maintained on those vendors that have the greatest risk to your organization.
How to Fill in the Gaps Between Assessments
Once the assessment has been completed, an important aspect of a TPRM program to consider is what is being done to ensure third-party vendor practices remain consistent until the time for the next assessment arises?
The answer is to consider implementing a continuous monitoring program. To learn more read Are You Waiting 75 Days to Learn About Your Data Being Breached?
Automating the continuous review of vendor security posture through use of monitoring services makes it feasible for the TPRM group within your company to now monitor for changes in vendor risk in a timely and efficient manner.
Continuous monitoring also empowers your company to become proactive in reaching out to your vendors when warning signs or negative trends in risk metrics and reports are observed.
Establishing a third-party risk management program ensures that your company maintains an effective review of all vendors who potentially have access to sensitive data or resources.
By taking a risk based approach you can match vendor risk levels to the appropriate breadth and depth of assessment and monitoring. This enables you to establish a key defense layer to protect your organization from cyber incidents.
Christine has 15+ years in the technical industry developing software, leading teams along with extensive experience as a hiring manager. She found that she really enjoyed the process of building teams and interacting with candidates and business customers. As a result, Christine decided to make the hiring process her focus and started Vector Recruiting.