Why Third-Party Risk Management Is Crucial in  Cybersecurity

In May 2020, Blackbaud – a cloud computing vendor for non-profits, foundations, corporations, and educational and healthcare institutions – was attacked with ransomware. Their cybersecurity team managed to block system access from the cybercriminals and fully encrypt all files, ultimately locking the attackers out, but not before the cybercriminals managed to copy a subset of data from their private cloud. Blackbaud paid the ransom demand and confirmed that the copy made was destroyed. The fallout, however, was significant.

Of all its clients, Inova Health System was the worst affected, with more than a million individuals’ personal information leaked: birth dates, contact details, departments they visited, and even their philanthropic history.

In total, more than 6 million individuals’ personal information was hacked and many of them sued Blackbaud for negligence, breach of contract, and putting them at risk of “identity theft and fraud.”

Vetting your third-party vendors is crucial to cybersecurity risk management. This is where third-party risk management (TPRM) plays a key role.

What is third-party risk management?

Most organizations work with third-party vendors that supply digital solutions, physical products, and services. Although convenient, this does come with its own risks since these third parties have access to operational data and sensitive information which can be breached if not properly protected. Through third-party risk management (TPRM), these vendors are analyzed and assessed in order to minimize possible security risks through due diligence.

Due diligence is the continuous process of thorough investigative research in which a third-party vendor is deemed suitable or not with respect to its efficiency and, most importantly, its cybersecurity.

Why is third-party risk management important?

In the digital space, third-party vendors are of necessity. They help with efficiency, meeting user demands, creativity, and innovation. Cybersecurity teams within organizations work with their own suppliers of services and solutions: cloud computing, anti-malware and antivirus software, encryption software, VPNs, and so on. This, however, doesn’t exempt them from being potential risks. An organization may have the most advanced security and protection for its information and assets but if its third parties don’t, then it is vulnerable to all kinds of cyberattacks.

Cybercrime is ever-growing and cybercriminals are getting more sophisticated along with technological advancements, especially in the fields of AI and ML. Vulnerabilities in third-party solutions can provide hackers with a way into a network. Over the last 2 years, “53% of organizations have experienced at least one data breach by a third party,” resulting in $7.5 million in losses on average.

These statistics amplify the importance of TPRM. A strict TPRM program with a strong and advanced digital background covers the necessary ground to minimize any potential risks by vetting the third parties employed by your organization. It provides a framework for your organization and vendors to operate smoothly, reduces costs, enhances visibility and oversight over vendors, and monitors their access to organizational data, ethical business practices, and environmental impacts. Compliance with regulations like HIPAA, GDPR, and others are also important aspects of TPRM.

How should organizations go about TPRM?

So how do you select an effective risk management program for your company?

An ideal TPRM program’s main goal is to reduce third-party risks. These risks can be classified as Operational, Financial, Reputational, Compliance, Information Security and Environment, Health and Safety, etc.

Your organization should employ certified and experienced individuals/companies that help in mitigating potential risks and ensuring security and growth. Here are a few steps you could follow:

1. Create a system that keeps track of all third-party vendors working with your organization and organizes them based on whose services impact you the most.
2. Form service level agreements (SLAs) to control how much access a third-party vendor can have to sensitive data, what security measures they take to protect the data accessed, etc. Make sure that access to sensitive access data is protected by an additional layer of security  – one-time passwords or two-factor authentication, for example.
3. Design a thorough onboarding program for all your third-party vendors.
4. Design a third-party risk management framework that details the steps to safeguard your organization’s assets, minimize risk, and contribute to overall growth. Make sure to set up cybersecurity policies that include how your organization’s employees should engage with third-party vendors.
5. Regularly audit your vendors and assess their efficiency. Make sure you set up a strong, centralized oversight system that monitors and enforces the security measures you have in place, especially when it comes to user activity. If your team detects any suspicious behavior, notify relevant third parties immediately.
6. Only work with third-party vendors that comply with the regulations in your industry – GDPR, HIPPA, NIST, GLBA, etc. Failure to comply can result in hefty fines for all parties involved. 

Risks and vulnerabilities can never be completely eliminated. However, a thorough TPRM framework will allow your organization to strike the balance between cost optimization and operational efficiency on one side and strong cybersecurity practices on the other.