3 MINUTE READ
If you’re like most businesses, you have a variety of third-parties that you rely on to support your core business functions. And in many cases, they have the ability to connect to your network. By providing them remote access, you are effectively increasing your potential attack surface for cybercriminals to exploit. So what happens if their systems aren’t secure? They could inadvertently open up a door to your network and allow a cybercriminal to get in.
One of the best ways to mitigate cybersecurity risk posed by third-party vendors is to implement a Vendor Risk Management Program. Here are the steps you should take to build an effective program.
Then prioritize vendors based on risk:
Critical Risk: Vendors who are critical to your operation, and whose failure or inability to deliver contracted services could result in your organization’s failure.
Ensure access is based on legitimate business need. It’s best to follow the principal of least privilege, which is the practice of limiting access rights for users to the bare minimum permissions they need to perform their work. Under this principal, users are granted permission to read, write, or execute only the files or resources they need to do their jobs. In other words, the least amount of privilege necessary.
Vet all new vendors with due diligence
Define your process, which can include:
Require your Critical and High Risk vendors to provide
Ensure the vendor is cooperative
For example, your requests should be expected. If they balk or cannot provide the requested information, consider an alternative. Verbal assurance does not suffice.
All Critical and High Risk vendors should undergo a full due diligence review annually. All Medium Risk vendors should undergo a due diligence review applicable to the risk every two years. Some industries and regulators will require you to perform reviews on medium risk vendors annually. All other vendors, including Low Risk vendors, should undergo an annual survey.
For new and renewal contracts for your Critical and High Risk vendors be sure to include:
If your vendor fails to provide the contracted services, you need to be able to quickly pivot to another vendor, especially if they are providing you with a critical service. Be sure you know who else is in the field and is able to provide the same services.
Just like everything in security, vendor management is a continuous process. Constant vigilance and being aware of what is happening on your network, and of course, that also means what is happening on your vendor’s network.