Third party risk management leaves exposures in security posture
Recent breaches have illustrated that third parties such as vendors and partners can present a cyber security risk, but these parties still tend to be ‘under lit’ in enterprise information security frameworks.
This is according to Venisha Nayagar, MD of Crypt IT Information Risk Management, a consultancy specialising in information and cyber risk management.
Speaking ahead of the ITWeb Security Summit, Nayagar says: “Every organisation works with third parties – from infrastructure services through to hosting and outsourced staff supporting technology. Because they are seen as external to the organisation, companies may not apply their own policies and procedures as stringently to third parties as they do within the organisation.”
She notes that sound internal processes are exposed to risk if they are not extended to include the entire supply chain dependency ecosystem. Ensuring that third parties align with organisational security frameworks is a shared responsibility, she says. “It starts with procurement carrying out due diligence of vendors and contractors, looking at SLAs and assessing their policies, procedures and controls. But once a vendor becomes a third party, security and risk teams need to build that third party into the risk environment.”
How they do so may vary: organisations might implement constant monitoring and reporting, they might go on-site to conduct audits, or they might go the certification route, making it mandatory for third parties to meet certain standards.
“Organisations seeking to improve their third party risk management should start by reviewing all vendors and classifying them by the level of risk they could expose the organisation to. They should then revisit the way in which they structure third party agreements, ensuring that they align with internal security and risk frameworks and comply with POPIA.”
Nayagar will address delegates on day three of the annual ITWeb Security Summit, on the topic ‘Managing third party/supply chain cyber risk’. This talk, for the entire vendor management and risk management environment, will unpack the risks posed by third parties, how to classify vendors and manage supply chain risks, and will make recommendations on how to implement third party risk controls to manage cyber exposures.