We have talked about how to manage your company’s relationships with third-party vendors. We have also discussed making sure vendors have adequate levels of security in place. Failure to do either can result in a successful attack. This could expose confidential information and result in your company receiving a fine.
But it doesn’t stop there. As well as this, you must consider who a vendor is outsourcing services to as well. You’re outsourcing a function and your vendor may, as well. If your company outsources a service to a third-party, they could then outsource specific functions to other vendors. Or if they are using technology to deliver that service, they can contract it out to an external development house to do the software development. These are what we mean by fourth- and fifth- parties. They are sometimes called providers or strategic partners. The scenario of a malicious actor breaching a company via a secondary victim is a common one. Your protections are only as strong as the vulnerabilities in your supply chain. In a report on the subject, PWC has shown that many companies don’t assess fourth party risk at all and rely on third-parties to monitor subcontractors. It is your responsibility to protect sensitive data at all points within the supply chain.
So how can I manage the risks?
Managing relationships in a supply chain can become very difficult. But you should not have to check all your fourth- and fifth-party vendors. Depending on the project, you must assess all the vulnerabilities along the chain. You will have to see the points at which suppliers will have access to any sensitive data. This can include new technologies which your company may be developing, financial information your company is yet to publish or undisclosed strategies. This means that you should prioritise the monitoring of relations and incident responses. At the very least you should gain assurances and evidence from your 3rd party of the due diligence they conduct on their own partners.
Examples of some of the questions you should ask:
- What services the third-party themselves outsource.
- What sensitive data will they have access to.
- Where fourth- and fifth-parties operate from, and what protections they have.
Your company can then consider the potential cost of managing these relationships.
Forming a VRM structure
The information you collect at this stage will help to form a VRM structure. This can provide governance guidelines on how to handle and secure sensitive data. This will also help you develop a vendor register. This describes where the risks are and provide impact assessments. You should also develop contingency plans in the event of a data breach at any stage along the supply chain.
What does C2 recommend?
Monitoring and reporting
It is important that you protect your supply chain if dealing with sensitive information. But unfortunately, protection is not enough. If you compare this to your office space, locks can be fitted and CCTV can be installed, but if a burglar wanted to get in, they still could. No system is completely impenetrable. C2 recommends that you also adopt a monitoring and reporting strategy, where defenses are checked for any breaches. If you want to know more about monitoring and reporting, click here.
You won’t be able to monitor third-parties and beyond yourself, so you will need evidence to give you confidence that these organisations have effective capabilities themselves. In working with them, you are not only improving your own vendor risk management but also that of your suppliers.
Put in place a VRM programme
We recommend that you use a specialist vendor risk management service, such as COBRA. This will allow you to monitor threats and vulnerabilities in a supply chain in real time and respond to them. Vulnerabilities along a supply chain can be seen simultaneously. This can allow you to manage the vulnerabilities as you see them. This means that risk management of a supply chain becomes much more efficient. You can address risks and mitigate them at a quicker rate. Should the worst happen, the source of a problem can be immediately located, and you can respond.
You may think that this is a long and difficult process, but there are ways to make it quicker. If you want to know more about how to put in place a VRM programme quickly, click here.
Protecting third-parties is not enough. Your company has to consider all the vendors along a supply chain. You must establish which fourth- and fifth- parties are responsible for managing what data. You must then put plans in place which ensure that all parties along a supply chain have appropriate levels of protection to keep data secure. As well as this, you should also monitor protections along a supply chain to check for any vulnerabilities. Much of the risk management involves establishing strong relations with your vendors. It also involves ensuring that they have adequate levels of security. You could use a provider to make this process more efficient, and save you time.
> More information about Vendor Risk Management