Getty Images/iStockphoto

Tip

How to build an effective third-party risk assessment framework

Don't overlook the threats associated with connecting vendors and partners to internal systems. Do your due diligence and use third-party risk assessments to prevent supply chain attacks.

Amy Larsen DeCarlo
By
Published: 27 Nov 2024

Organizations today connect with more supply chain partners than ever before, a reflection of the distributed and connected environment in which most enterprises now operate. Procurement, as a result, is more automated and streamlined. Yet, even as these procurement processes become simpler, addressing third-party cybersecurity risks has become more challenging.

The risks are significant: Consider the 2023 breach of file transfer software vendor MoveIt, where threat actors exploited vulnerabilities in the software to exfiltrate high-value data from approximately 2,300 public and private commercial entities, which cost more than $10 billion. The MoveIt attack was far from unique. Capterra, a technology review site, found that 61% of U.S. businesses experienced supply chain attacks in 2023.

To counter the risks associated with vendors, service providers, partners, contractors and other third parties, organizations must conduct third-party risk assessments before investment, and on an ongoing basis.

Assessing and addressing third-party risks

The digital nature of procurement has led to the less manual nature of purchasing. Automation enables enterprises to significantly expand the number of suppliers they do business with, but it has also put more pressure on IT to manage third-party vendors and contractors -- and the risks they bring.

So, what do organizations need to consider going into a new vendor relationship and how can they successfully maintain existing partnerships?

The first step in third-party risk management is to build out standards on how to conduct a third-party risk assessment.

First, create vendor risk assessment questionnaires to determine what controls a provider has in place to ensure redundancy, resilience and security. Focus on the following:

  • Operational risks.
  • Legal, regulatory and compliance risks.
  • Reputational risks.
  • Financial risks.

Use cybersecurity standards, such as NIST Cybersecurity Framework and Center for Internet Security Critical Security Controls, and industry regulations, such as PCI DSS, HIPAA and GDPR, to create a list of questions. Consider the following:

  • What security controls do you have in place?
  • How do you store or process sensitive data?
  • What is your authentication policy? Is MFA mandatory?
  • How often do you conduct backups?
  • Do you have an incident response plan?
  • How do you communicate with customers and stakeholders in the event of a security incident, such as a data breach?
  • Do you conduct internal audits to assess and ensure regulatory compliance?
  • What is your privacy policy?

Next, categorize vendors based on level of risk they pose. This helps organizations compare potential threats more accurately. Consider the following:

Also, look at the provider's delivery history and reputation. Have there been past operational issues that disrupted distributions? If so, has the supplier sufficiently addressed them and reestablished its reliability? Organizations should also evaluate the supplier's fiscal health to ensure it can consistently meet delivery requirements.

Remember, a third-party risk assessment is not a one-off engagement that only takes place in the initial vendor evaluation process. Assessments must be ongoing to determine if any changes in procedures or policies have affected delivery stability. Use AI and analytics tools to help with this task.

Amy Larsen DeCarlo has covered the IT industry for more than 30 years, as a journalist, editor and analyst. As a principal analyst at GlobalData, she covers managed security and cloud services.

Dig Deeper on Risk management