Your Guide to Third-Party Cybersecurity Assessment for Your Interconnected Business

SolarWinds. Toyota. Uber. American Express. Some of the most infamous cybersecurity breaches of the last decade share a common trait: the vulnerability came from third-party vendors.

In fact, according to Security Magazine, third-party attack vectors are responsible for 29% of breaches today. For companies of any size, cybersecurity risk management must encompass third-party cyber risk management. Yet many small to midsize companies continue to underestimate this threat.

In this quick guide*, part of a series that includes Cybersecurity Beginner’s Guide: Three Best Practices to Prevent Cyber Incidents and How to Respond to Business Email Compromise, we’ll explore best practices for preventing and mitigating third-party cybersecurity risk.

(*The content below offers a preview of the Third-Party Data Breach Playbook inside Breach Plan Connect®, powered by NetDiligence®. To explore the full playbook and other incident response playbooks on common types of cybersecurity incidents, start your 30-day free trial of Breach Plan Connect today.)

What Is a Third-Party Cybersecurity Breach?

Third-party cybersecurity incidents occur when a threat actor gains access to your vendor, supplier, or other third-party partner’s systems or data related to your company’s customers, clients, IP, or other sensitive information.

Why Do Third-Party Breaches Happen?

Some of the most common reasons third-party breaches occur are:

• A weak link in the supply chain, allowing threat actors to bypass the company’s usual defenses.
• Lack of understanding about the digital supply chain or lack of risk management.
• Lack of documentation of third-party vendors’ cybersecurity controls/practices/protocols.

Why Should Companies Anticipate Third-Party Breaches?

Third-party breaches are simply a business reality in an increasingly interconnected and interdependent cyber ecosystem. Most businesses don’t completely understand their digital footprint and all of the vectors for third-party risk. Even if your company’s internal cybersecurity is well managed, there are ample opportunities for bad actors to exploit weaknesses in the systems you connect to. For a small or midsize company, the results of a third-party breach can be disastrous and even catastrophic, causing financial loss, reputational harm, legal and regulatory repercussions, operations disruption, and more.

What Can Your Company Do to Prevent Third-Party Incidents?

As with all cybersecurity, third-party cyber risk management is about assessing risk, staying vigilant, and maintaining appropriate controls.

1. Conduct vendor risk assessments. Assess any potential vendor or partner’s cybersecurity posture by reviewing their security practices and controls and identifying any possible threats or vulnerabilities. This can be done through a questionnaire, a security review or with the assistance of a risk-assessment service provider.
2. Ensure all service level agreements (SLAs) contain cybersecurity requirements. These should clearly define:
   • security standards such as data encryption, intrusion detection firewalls, and the like
   • how the vendor will provide data protection
   • how the vendor will conduct incident response
   • specific protocols for disaster recovery
   • a guarantee for uptime to mitigate business disruption
3. Refuse to work with vendors that do not follow risk assessments or service level agreement requirements. You can turn down a vendor who doesn’t have MFA or other appropriate measures in place—and you should.
4. If you share data with third-party vendors, document it. Create an inventory of all data shared with vendors, including the type of data, format, and any classifications (e.g., sensitive, confidential) as well as who it’s shared with. Review and update this inventory regularly.
5. Monitor access to data/access control. Establish clear policies regarding what data vendors can access and under what circumstances. Use the principle of least privilege to limit access to only what is necessary. Conduct periodic reviews of vendor access rights to ensure they are still appropriate based on the vendor’s current role and your data needs. Consider using security information and event management (SIEM) tools to automate the monitoring process. These tools can help identify suspicious activity in real time.
6. Establish IR protocols. Part of vendor lifecycle management is preparing for the inevitable. Ensure that incident response planning includes third-party incident response, including cyber incident response documentation. Include a communication strategy around incident response for internal and external parties.

In reality, there is no way to fully eliminate third-party cybersecurity risk. But understanding the scope and breadth of the risk and putting into place common-sense measures to mitigate the risk is half the battle—and thorough incident response planning will prepare your organization for the incidents that could not be prevented.

Want to Better Understand and Contain Your Organization’s Third-Party Cyber Risk?

NetDiligence can help! Learn more about our suite of QuietAuditⓇ solutions like our Cyber Risk Assessment, Cyber Health Check, CFO Cyber Assessment, and Vulnerability Scan Test.

Want to Read Our Full Response Playbooks On the Most Common Types of Cyber Incidents?

Start your 30-day free trial of Breach Plan Connect® today. Get critical insights on responding to the most common types of cyber incidents that organizations face today, like business email compromise, malware and ransomware attacks, and more!