Third-party products and services are an integral part of business operations. Organizations depend heavily on optimizing their solutions by reducing costs; thus, bringing about the need for external expertise. Third-party organizations promise timely delivery of products and services, meeting compliance requirements, and optimizing the organization’s overall business performance.
Reasons for bringing in a third party for various business operations include:
- Providing tools and/or applications for internal or external use
- Administering services for software components
- Consulting expertise for other tools/services
- Contributing professional services for customers
- Achieving compliance goals
What are third-party risks?
With the engagement of organizations other than your own in business operations, exposure to threats and risks increases. Threats arising from third-party engagements require enterprises to adopt a risk management approach for these assets.
If these risks are not mitigated, consequences may include:
- Reputational damage to brand, products, and/or services
- Loss of confidential and personally identifiable data
- Loss of customer trust and relationship (as is the case when a breach occurs)
- Downtime of critical systems/network resources due to outsourcing infrastructure
- Unauthorized access to systems, tools, applications, and data by third parties
- Public disclosure or loss of intellectual property, trade secrets, copyrights, etc.
What is an ideal third-party risk mitigation approach?
Creating a risk mitigation strategy for a third-party organization can be a tedious task. The identification and mitigation of risks requires a well-established and automated risk management program. This program can be used for both internal applications and services, and external tools and services.
Let’s examine an approach to identify, assess, and mitigate third-party risks:
- Identification. Risks can be identified at any level of engagement with a third party. This should account for all tools or services used on premise or hosted on an external network.
- Assessment. Once the risk has been identified, an assessment is conducted to carefully evaluate and account for the impact. A risk ranking system allows for the prioritization of risks.
- Mitigation. Assessed risks and threats must be mitigated in a cost- and time-effective manner. Risks must be communicated through an open channel to the third party for remediation.
Step 1: Identifying third-party security risks
Based on the scope of work, third-party tools and services are allowed access to various systems, resources, network appliances, applications, and data (either stored or in transit). Potential risks accompany access. Determining the security risks in these circumstances can be tricky.
At a high level, organizations should follow these best practices to identify security risks from third-party engagements:
- Recognize risks by conducting a threat model to analyze critical assets in which a third-party tool will interact.
- Analyze entry and exit points for all third-party tools and services.
- Classify risks for third-party tools and applications by performing penetration testing and source code analysis.
- Review all on-site engagements and interactions (e.g., consulting) with the third parties.
- Diagnose additional risks by performing a red teaming assessment for the services provided by third parties.
- Account for any and all open vulnerabilities that are publicly disclosed against the tool or service in use from a third party.
Step 2: Assessing third-party security risks
Evaluation and assessment are important steps to comprehensively mitigate risks. This step prioritizes risks to see them through to mitigation in a time- and cost-effective manner. A risk management program cannot be successful if the assessment of each security risk (based on its impact to the business) isn’t calculated.
To best assess third-party security risks:
- Prioritize the evaluation of critical third-party tools and services to manage the additional assessment cost to the security program.
- Assess the overall potential business impact of each critical third-party tool risk.
- Evaluate the third-party tools or services with the help of a non-biased resource
- Conduct periodic assessments regarding access to authorized and unauthorized resources for third-party tools and services.
Step 3: Mitigating third-party security risks
Identifying and assessing vulnerabilities also requires a mitigation strategy. This strategy is used to reduce the severity of the identified risks and/or remediate them.
Follow these practices to help your organization mitigate and prevent threats and risks posed by third parties:
- Maintain an inventory of all third-party assets, in addition to their interactions with upstream and downstream assets in the organization.
- Advocate asset ownership for each third-party service or tool in the inventory.
- Create and periodically review third-party service level agreements (SLAs) and non-disclosure agreements (NDAs).
- Communicate the risk management approach to the third party and expectations prior to onboarding the tool or service.
- Establish an open channel for communicating threats and risks to the third party.
- Construct risk profiles for each third-party asset. Risk profiles provide an overall impact to the business (e.g., revenue, services, etc.) in case of security risks.
- Implement mitigating controls for securing all third-party entry and exit points.
- Devise a remediation activity timeline for each third-party risk identified during the assessment phase (e.g., include threat modeling, application penetration testing, and source code analysis).
- Centralize and review changes from a third party before distribution to customers and employees.
- Audit security controls implemented by the third party for customer or client data. Data segregation with other organizations is important in case of a breach.
- Take control and ownership of key management, data stores, and other critical assets hosted by the third party.
- Examine authorized and unauthorized access to systems from third-party assets.
- Monitor on-site staff and their activities from a third party.
Get a running start
Implement a holistic program for managing third-party activities. Organizations should, if they haven’t already, use a scalable and automated risk management program to continuously identify third-party threats and risks. Assess the risks against the business and ultimately mitigate them through the implementation of security controls. Provide capabilities to monitor third-party assets, allowing the organization to detect and mitigate risks stemming from non-compliance, unethical practices, exposure to systems and resources, legal issues, and access to confidential data.
Following these recommendations will minimize redundancies and inefficiencies, in addition to improving visibility into risks, performance, and compliance of third-party activities.