In this blog post, we examine the next cyber threat as it relates to third party risk. We will examine the COVID-19 vaccine supply chain as an example. There are many entities that are involved, ranging from suppliers that provide the raw materials for the vaccine, to the trucks delivering them to the final destination, or the healthcare providers administering them to patients.
If an entity shares any Personal Identifiable Information (PII) datasets with any step in the supply chain, and they are impacted by a security breach, the entity will ultimately be held responsible.
The Types of Third-Party Risks
When one hears the term “risk”, the thoughts of cybersecurity threats from a third party transmitted to an organization come to mind. But keep in mind, there are other types of third-party risks that can be just as lethal. Some of these include the following:
- Brand Risk: This is also commonly referred to as “reputational risk.” This occurs when a third party has received any sort of negative attention, in news headlines or other forms of media outlets. Such press can have a negative impact on your business resulting in a loss of trust with your stakeholders.
- Process (Operational) Risk: This happens when a mission critical process breaks down for a period of time at the location of your third party. This can greatly impact the supply chain, which can harm product/service delivery to customers.
- Disaster Risk: Organizations not prepared for the recovery from a disaster stand to lose everything. In the event that a third party experiences a massive cyberattack or other type of natural disaster, this could also have a severe impact on your business as well. Thus, it is important that they not only have a solid Disaster Recovery (DR) plan in place, but a Business Continuity (BC) plan as well to prove their level of “cyber resiliency” to you (how quickly they can bounce back from a security breach).
- Data Privacy Risk: This is probably one of the biggest areas of concern. For example, it is likely you will be sharing confidential information (especially as it relates to your customers) with a third party. Just as you are vigilant in protecting your data, you need to ensure they are as well. If there are any security breaches that occur within your third party which involves the loss or malicious heisting of information/data, you will be held responsible, not them. This issue has become much more prevalent with the recent implementation of CCPA and the GDPR.
- Noncompliance Risk: Just as you must be compliant with regulatory frameworks, so too do the organizations in your supply chain. In the instance your organization is audited, the security controls they have in place will directly affect the results of your audit.
- Financial Risk: This kind of risk can be especially concerning. If your third party does not have suitable cash flow for incident response, either from cash reserves or insurance, you may be responsible for the restoration of operations to continue the health of your supply chain.
- Geopolitical Risk: This typically happens when your third party is in a different country. Various political events could impact your supply chain or insider attacks can damage the parts you need in order to produce and deliver a quality product.
How To Manage Third Party Risks
There are numerous steps that you can take to mitigate your level of risk to the third parties that you hire, which include:
- Hire a dedicated individual: Being a member of the C-Suite or even the business owner, your time is valuable. Therefore, you should hire somebody whose sole job is to locate and vet out possible third-party vendors as your company needs them. One of the qualifications that you should require of them is their ability to examine security policies and the respective level of enforcement at the third party you are considering working with. They should also be able to carefully examine how well they protect their own confidential information/data, as this will be a reflection as to how they handle yours.
- Launch a detailed due diligence process: This process involves conducting a background check on the third party you are planning to hire. Not only should you examine their financial stability and brand reputation, but you should also pay attention as it relates to cybersecurity. For example, you need to make sure that their practices and policies meet the high standards that you have set forth for your own company. Furthermore, your dedicated third-party manager should be allowed to examine the technical controls surrounding their data. Keep in mind that any security breach that impacts them could also impact you, as the bad actor will be on the lookout for these types of business relationships.
- Create an iron clad contract: Before you hire a third party, you must have a contract in place that details the responsibilities they have to you. If you suspect that there could be a lack of enforcement as it relates to internal controls, then you have the right to inspect that and recommend a corrective course of action that should be implemented ASAP. The contract should also stipulate that you can conduct an audit any time in order to make sure that your third party is living up to its end of the obligations.
In our final blog of this series, we will examine yet another threat variant – Social Engineering. If you feel as though your organization is not where it needs to be from a security standpoint, it’s time to schedule a call with our experts.