Inventory Your Third-Party Risks in 6 Steps

How Many Vendors Have the Key to Your Kingdom? Use This Guide To Identify Potential Supply-Chain Risks and Protect Your Customer Data.

How many people can walk into your house right this minute? You probably think: “just me and my family.” Then again, there was that time you gave a key to your parent. And to your neighbor. Did that pet sitter give a copy back when they moved away? Years pass, memory fades, but the list of people who can unlock your door keeps growing.

Third-party risk works the same way. Companies rely on a constellation of vendors for everything they need, from equipment maintenance to cloud storage. These relationships are essential to a business — but without constant vigilance, they can become its Achilles heel. After all, why would hackers need to pick your lock when they can steal your customer data via smaller, more vulnerable vendors that share your “key.”

This year, it happened to Toyota, Morgan Stanley, Upstox, and a long list of well-known companies. But it isn’t just the big fish who need to worry. For the vast majority, it’s not a matter of if, but when a third-party data breach will occur. And in 2022, one-fifth of these breaches became full-on attacks. These incidents are particularly insidious because they take an average 26 days longer to identify and contain — and if you’re operating in the United States, they cost about 5 million dollars more to remedy.  

How vulnerable do your third-party relationships make you? Even if you’ve got identity management solutions in place, most aren’t designed to manage the complexity of governing third-party identities, let alone keep an eye on all the hidden channels into your organization’s systems.

The only way to avoid potential financial losses, reputational damage, and legal headaches is to take an inventory of your entire third-party network. Sound like a lot of work? Let’s keep it as simple as possible. As you begin the process, there are six tasks that should be on your to-do list: 

1. Make The List: Third-Party Due Diligence

Can you name all the external parties you rely on? Often companies that think they have a dozen or so end up discovering they actually have hundreds of third-party relationships. A comprehensive list of all your current third-party relationships includes suppliers, contractors, and other organizations that have access to your systems and data. Since many third parties have contractual relationships, procurement can be a good place to start.

If you just heard a record scratch, you’re not wrong. Compiling a system of record with contract details and contact information takes considerable time and effort, but this step is foundational. You can’t manage what you can’t see.

For a deeper dive into what to do with this exhaustive list (and which safeguards you need in place before granting access) stay tuned for our next blog in this series. 

2. Hold Third Parties To The Same Compliance Standards As Employees 

Third-party access is rapidly moving to the top of the audit checklist. How well are your vendors complying with data privacy laws such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA)? If they’re handling credit card transactions, are they adhering to the Payment Card Industry Data Security Standards (PCI DSS)?-

Compliance is complicated, so the name of the game is consistency. Bringing all third-party access under the same compliance process as your entire workforce can go a long way toward reducing risk. Applying uniform standards across the board fosters a more cohesive and consistent organizational culture that can encourage trust and confidence of employees, customers, and other stakeholders.  

3. Insure To Prevent Financial Losses 

Whether it’s vendor fraud, mismanagement of funds, or lax security, the blast radius from third-party breaches is harmful and far-reaching. The process of hiring cybersecurity experts and future-proofing your environment can outpace the time and money required for customer pay-outs. The widely-covered T-mobile data breach that occurred last year cost a record-breaking $350 million.

Needless to say, organizations should carefully review the financial stability of their third parties and put in place financial safeguards  to protect against losses that may arise as a result of a third party’s failure to perform as required or specified.

4. Have The Talk: What To Ask Your Third Party 

Ideally, prevention starts before entering into any agreements. But it’s never too late to begin understanding the cyber posture of your existing external partners. Get familiar with a vendor’s security practices, policies — and potential vulnerabilities — by asking these key questions:

• Do they have policies in place to protect the confidentiality, integrity, and availability of any data they handle on your behalf, such as encryption, access controls, and incident response plans?
• Can they provide evidence of appropriate security measures (firewalls, antivirus software, vulnerability management processes, etc) that protect their networks and systems from cyber threats?
• How secure are their physical facilities? Do they have access controls, surveillance, and disaster recovery plans in place?
• Does the vendor conduct employee training and awareness on security best practices, such as password management, secure communication, and identifying and reporting potential threats?
• Do they have cybersecurity policies in place with their third parties? A growing concern is that attackers are often gaining access by attacking your third party and gaining access to your systems and data. 

5. Do The 3 Rs: Review, Reevaluate, Renegotiate  

What’s in your contracts? Regularly reviewing and updating contracts and agreements with third parties can ensure you’re not overlooking changes in your risk profile. Will your vendor be responsible for promptly administering identity access for their joiners, movers, and leavers? Will they regularly complete access reviews and certifications? Will they promptly disclose breaches so you can take action to reduce the potential fallout? These are critical features you need. 

Establishing clear lines of communication with third parties can help you stay ahead of emerging threats and protect your systems and data from potential vulnerabilities.

6. Don’t Forget the Machines

Machine identities and Internet of Things (IoT) devices provide access to critical systems and resources. Service identities are used to identify and authenticate services (such as APIs) to each other and to the systems they rely on. If they aren’t properly secured, unauthorized devices can gain access to your network and sensitive resources, potentially leading to data breaches and security incidents.

How Saviynt Can Help You Manage Your Entire Workforce

Saviynt provides multiple ways to populate your third-party system of record. We can help you align human owners and risk-based access policies to machine identities, as well as set just-in-time access privileges that can be deactivated when not in use.

In addition, compliance controls can be tied to user type, and auto-remediation policies can swiftly remediate non-compliant identities. Having out-of-the-box regulatory compliance reports for Sarbanes-Oxley, HIPAA, GDPR, PCI-DSS, and others makes it easier to enforce compliance controls and more efficient to provide audit documentation.

Saviynt can also help you manage evolving IoT, OT, and DevOps complexities by governing machine identities (APIs, RPAs, and containers) with zero trust principles.

You’ve taken the snapshot. Now improve your cybersecurity posture with a combination of Saviynt’s IGA, Privileged Access Governance, and Third-Party Access Governance. Our identity-centric approach allows for centralized onboarding, better control over the access that third parties can request, and quick removal after the relationship ends.

Next up in this series: get to know the hidden risks of third-party onboarding and the importance of delegated administration.