As companies outsource more of their operations to outside vendors, securing this extended ecosystem has become more complex. And as malicious attackers try to enter organizations through their third-party vendors, the potential attack surface has increased. Unfortunately, most companies don’t have the strategies in place to manage third-party risk. Today, nearly 59% of organizations have experienced a data breach due to a third party, according to Gartner.[i] Yet just 16% of organizations say they effectively manage these risks.[ii]
Third-Party Risk: A Growing Problem for Today’s Organizations
For today’s organizations, outsourcing has become an integral part of doing business. As companies search for ways to reduce costs and capitalize on the expertise third parties provide, they’re outsourcing work to vendors, suppliers, consultants, and contractors that help them operate more innovatively and efficiently. And as the gig economy continues to recover from the COVID-19 pandemic, global outsourcing is expected to become an even larger part of our everyday work environment over the next several years.
Modern organizations typically power their operations using multiple platforms, applications, and workloads, making it complicated enough to manage their internal risk. Add to that the need to oversee the risk presented by hundreds and even thousands of third-party vendors, and the challenge can quickly become overwhelming.
Why It’s Critical to Minimize Third-Party Risk
But while third parties complicate the security picture, organizations that ignore this challenge do so at their own peril. As the risks posed by third parties continue to grow, companies without a comprehensive strategy for managing third-party risk leave themselves exposed to a number of threats. These include:
- Operations disruptions: A vendor suffering from a natural disaster or cyberattack can become temporarily locked down, disrupting the supply chain and business operations for the organizations they supply. Without visibility into this risk and an accompanying backup plan, an organization can’t reliably maintain operations when vendor disruptions occur.
- Data breaches: The average cost of data breach for companies across the globe grew to $3.92 billion in 2020.[iii] And for data breaches involving a third party, the average cost is $700,000 more.[iv] Today’s cyber attackers use a variety of sophisticated techniques to access an organization’s sensitive information, and an increasing number involve stealing the credentials of third-party vendors with access to this data.
- Lost revenue: The failure to monitor third-party risk can jeopardize an organization’s bottom line. For example, a defective or delayed component can lead to lost sales. Compliance violations can trigger fines and legal fees. And a single data breach can cost a large organization billions of dollars in lost revenue.
- Reputational damage: Companies that fail to effectively manage their third-party relationships risk exposing themselves to negative public opinion. The security breaches, compliance violations, and substandard customer service that can result from mismanaging these outsourced relationships can damage an organization’s reputation and its brand.
- Compliance violations: From the European Union’s General Data Protection Regulation (GDPR) to the California Consumer Privacy Act (CCPA), many regulations now hold organizations responsible when a third party with access to their customer information suffers a data breach—even if the organization wasn’t directly responsible. Organizations that fail to manage third-party risk open themselves up to regulatory penalties that can harm their earnings and their reputation.
Tips for Managing Third-Party Risk
While the risks of failing to manage third-party vendors are dire, with a comprehensive third-party risk management (TPRM) plan in place, organizations can reap the benefits of outsourcing while minimizing the threats.
As you work to develop a TPRM plan, here are a few tips to consider:
- Create a centralized framework for managing third-party relationships: While third-party risk is growing, only 20% of organizations report using a centralized model to manage these risks, according to Gartner.[v] By taking an enterprise-wide approach, organizations can obtain the complete visibility they need to properly manage all the third parties they work with—ensuring they neither duplicate efforts or miss critical third-party risks that could damage the organization.
- Prioritize your highest-risk vendors: Not every vendor carries the same risk level. For example, only certain vendors typically have access to an organization’s sensitive data, intellectual property, personally identifiable information, and protected health information. In addition, some third-party products and services are more vital to an organization’s day-to-day operations than others. By prioritizing the highest-risk vendors, organizations can focus their efforts where they’re most needed, immediately reducing the greatest risks to their organization.
- Assign every third party a security score: To minimize third-party security risks, organizations need to evaluate the risks of each third party before adding them to the organization. Many organizations do this by assigning each potential vendor a security rating and then inviting only those with a minimally acceptable security score to move on to the next step.
- Develop a comprehensive security questionnaire: To discover security risks that may not be apparent, organizations should require potential third-party vendors to fill out a detailed security questionnaire. The questionnaire should assess the vendor’s compliance, data privacy, information access management, and data recovery efforts. It should also determine the vendor’s policies for working with its own supply chain. Many well-tested templates already exist to help organizations better understand their vendors’ risk profiles.
- Secure third-party access to your organization’s sensitive data: As more malicious attackers attempt to access an organization’s critical assets through their third-party vendors, it’s critical to control third-party access to these resources. Many organizations are turning to automated solutions to help them enforce policy-based controls, detect unauthorized access, and quickly deactivate expired accounts.
- Continually monitor third parties with whom you work: Today’s organizations operate in dynamic environments in which they’re constantly adding new vendors, ending relationships with existing ones, and changing the scope of their third-party agreements. At the same time, vendors themselves are always in flux, adding new security measures and making changes to their internal policies and infrastructures. Ongoing monitoring is an important part of an effective TPRM plan. These risk assessments should be performed at least annually or more often depending on the vendor’s risk level.
- Implement strong vendor off-boarding policies: If a vendor fails to meet security requirements, the relationship should be ended, with a plan to hire another third party in its place. Whatever the reason for ending a third-party relationship, it’s important to implement thorough off-boarding procedures. Oftentimes, organizations develop a checklist for vendors to ensure that all the required measures are taken. They also maintain detailed information of the vendor’s activities in case they’re later asked to produce an audit trail for compliance purposes.
For today’s organizations, outsourcing has become a vital part of running an efficient and innovative business. As enterprises add new vendors at an unprecedented rate, it’s more important than ever to minimize the risks third parties add to the business environment. With a comprehensive third-party risk management strategy, businesses can reap the expertise and cost savings third parties provide, while protecting themselves from the wide range of risks this modern work environment presents.
A Robust PAM Solution Can Help
As you consider your third-party risk management strategy, a strong privileged access management (PAM) solution can help to secure and control third-party access to your critical assets. SailPoint integrates with top PAM providers to automate workflows throughout the user lifecycle, enforce policy-based controls, and detect anomalies and unauthorized access attempts. PAM also enables organizations to set automatic expiration dates to ensure the deactivation of temporary accounts, while restricting resource access to the vendors that need them.
[i] Gartner, “ERM’s Role in Third-Party Risk Management,” ERM’s Role in Third-Party Risk Management | Gartner (gcom.cloud)
[iv] Panorays, “The Top 5 Third-Party Data Breaches of 2020,” The Top 5 Third-Party Data Breaches of 2020 (panorays.com)
[v] Gartner, “ERM’s Role in Third-Party Risk Management.”
You might also be interested in:
Take control of your cloud platform.
Learn more about third party risk.