Managing Third-Party Risk: Lessons from the Field

third-party risk management best practicesWith the growing amount of third-party vendors working with or for your company, it’s imperative to do your due diligence to effectively protect against growing threats that are hitting major third-party vendor and business partners.

Third-Party Risk Management Basics

Third-party risk management is the process of analyzing and controlling risks to your company’s data, finances and operations by outside parties. As soon as a portal or credential is shared with these parties, you are at risk.

In a recent cyber attack, Wipro–India’s third largest IT service provider–was targeted and used as a jumping off point by the attackers to launch phishing attacks on at least a dozen Wipro customer systems. Their customers span various industries in six continents–some of which Fortune 500.

6 Best Practices for Third-Party Risk Management

    1. Screening: Know who you’re about to go into business with. Are they aware of your compliance regulations? How much experience do they have working with organizations like yours? Do your homework and ensure that you have a detailed understanding of these parties.
    2. Conduct a risk assessment: Before signing on the dotted line, ensure that you have an understanding of their security posture. Ask questions like: How do you prevent a breach? What do you do in response to a breach and how do you ensure timely remediation?
    3. Develop an on-boarding process: Ensure that introductions and training are being introduced so that your new business partners/vendors are properly oriented to your best practices and policies. In addition, the vendor on-boarding and due diligence process is the time to ensure the inclusion of “right-to-audit” language in service provider contracts.
    4. Establish a monitoring plan: This is a big one, even if you’re having a third-party monitor your data, applications and systems–back to the Wipro example–you must have policies and procedures in place to do your part as a secondary check for suspicious activity. Also, once “right-to-audit” language is obtained, actively use it to ensure your providers are focusing on more than compliance.
    5. Implement an escalation process: You should have an agreed-upon process that is communicated to all parties involved, in the event that someone sees something suspicious.
    6. Review and audit processes: Like any management plan, your team should allow time to review what’s working and what can be improved upon.

Sirius offers a proactive approach to assessing threats and potential risk, all while ensuring the right set of countermeasures are in place. To learn more about how we can help your organization with third-party risk management, contact us.

By |2019-04-30T09:39:09-05:00April 29th, 2019|Blog|Comments Off on Managing Third-Party Risk: Lessons from the Field

About the Author:

Chris Hoke is a Managing Director of Security Solutions at Sirius.