Many modern organizations partner and do business with outside firms such as vendors, contractors, subcontractors, and more. Because these entities have varying degrees of IT and cybersecurity maturity, they introduce different levels of risk into the business supply chain. Security risk refers to the likelihood that a negative security event could occur and the impact it would have on different parts of the business. Every company has a different risk appetite — the level of security risk that leadership is willing to take to meet their business goals.
Third-party risk management is a component of an organization’s overall risk management program, which encompasses assessing, analyzing, and prioritizing risk in order to develop and refine a strategy to mitigate the effects of risk to acceptable levels. Third-party risk management is about understanding and effectively managing all of the security risks that exist during various relationships with third parties.
Here are a few best practices that your organization can use to promote stronger information security through third-party risk management.
Categorize the risk of each individual third party
Each third party you engage with provides a unique service that supports your organization’s ability to conduct business and achieve the desired outcomes. First, develop an inventory of different products/services and categories of vendors or partners. This inventory should also include the type of data, sensitive or business critical, the vendor stores, processes or transmits, or has access to within your environment or a customer’s. Next, conduct an official third-party risk assessment for each organization to determine what risks they could be introducing to your business.
Gathering and organizing all of this information will help you get a better idea of which third parties pose the highest risk based upon the type of data and systems they can access. This can also be useful when planning for future partnerships. Keep in mind that each of these third-party organizations likely use their own third-parties that may also need to be assessed based on the risk the upstream supply chain poses to your business operations.
Establish risk-related performance metrics
When entering into a long-term contractual relationship with another organization, you must make sure the key performance indicators (KPIs) that govern the relationship have been clearly defined. You are likely already aware of how to develop KPIs for product or service delivery — metrics related to cybersecurity and risk liability are equally important to the longevity of your business. Defining risk-related KPIs can be a complex process and should involve input from all key stakeholders in your organization. Here are a few examples of what those KPIs might include:
- % of systems with no open critical or high vulnerabilities
- Level of open or high vulnerabilities
- Average window of exposure for vulnerabilities
- Average dwell time for a threat actor
- Frequency of review of third-party access
Create clear third-party agreements
Contractual agreements must be clearly written based on your organization’s risk tolerance and the KPIs you have identified for third parties. Crucially, contracts must define any metrics, thresholds, and situations that would lead to the termination of a third-party relationship. If another organization does not take the proper actions to secure their environments
and services after signing the contract, then you are able to protect your organization by ending your business affiliation.
The MSP role in third-party risk management
As MSPs continue to play a bigger role in providing cybersecurity protection for companies, it’s important to learn how you can help improve your clients’ security (and your own) through services related to third-party risk management..
Risk assessments
As mentioned above, risk assessments are an integral part of evaluating an organization's security posture against cybersecurity threats and identifying areas for improvement. Risk assessments should be regularly performed against your MSP business, your clients, and your vendors and partners. This helps you locate possible risks such as:
- Insufficient device management
- Data compliance problems
- Internal threats
- And more
A third-party risk assessment can ultimately lead to your business and the outside organization agreeing on certain remediation measures that must be taken before a relationship can be initiated.
Incident response planning
Because even the best laid plans can go awry, your MSP business must be prepared to respond to any security incident that could be caused by a third-party organization. As such, you should have an incident response plan that outlines your strategies and goals for mitigating the damage, KPIs for measuring effectiveness of your response, and thorough communication plans for disclosing incident information to internal and external entities. When testing your MSP business’s incident response capabilities (at least once per year, ideally once per quarter), it may be wise to include willing third parties to help act out how you would work together to contain a threat that has spread across multiple systems and environments.
