Businesses rely on Third-Parties to deliver a service or product to their customers. In a tightly-linked digital world, Third-Parties are indispensable and inherently risky elements of a digital ecosystem.
Before going deep into the risks they pose to the business, we need to understand the definition and be able to identify the ones critical to the organisation. Here are the definitions you need to know and how NormShield can help with monitoring Third-Parties continuously.
What does the “Third-Party” mean?
A Third-Party is a company or entity with whom you have an agreement to provide a product or service to you or to your customers on behalf of your organisation. A more general term for a Third-Party is a vendor or a supplier. Nowadays, it’s almost impossible to find a company that doesn’t leverage Third-Party suppliers or vendors.
In a tightly-linked digital world, Third-Parties usually access companies’ systems and resources. These links are so inherent and part of everyday use that most of them are hardly accounted as Third-Parties in the inventory.
Take jquery libraries on content delivery networks (CDN) as an example. Numerous 2018 and 2019 breaches have been caused by this specific use of Third-Party. Or Trello and Jira boards holding both company-specific and employee-specific data.
As a result, companies end up sharing sensitive data with these Third-Parties beyond their knowledge most of the time.
Examples of Third-Parties
Here are a few examples of who can be considered as a “Third-Party” in Third-Party Risk Management
- Call Centre
- Marketing Agency
- Law Firm
- Office Supplies Provider
- Telephone Company
- Courier Services
- Software Development Service Provider
- Security Service Provider
- Hosting Provider
- Education Company
What are my (critical) Third-Parties?
Companies not only should understand the meaning of a Third-Party but also “know their Third-Parties”. How does this apply to the business? It means that if a company is bound to certain laws, regulations, contracts, and even working out an enterprise risk management and keep the risk within a certain threshold, etc, then its third-party service providers and vendors automatically need to meet these requirements.
At the end of the day, it comes to the fact that Third-Parties need to be assessed and even be continuously monitored with regards to their commitment to business’ risk tolerance, regulatory compliance and contractual requirements. By doing this, you make sure that they don’t pose an unnecessary risk to the organisation. But let’s not be that quick, we will leave these issues to the upcoming blog posts.
Follow these steps to identify critical Third-Parties linked to your business that might pose a risk:
If a Third-Party vendor
- receives or has access to personal or sensitive data,
- has persistent access to your network,
- or is critical/material to your company, or
- then it is in scope for risk assessment and continuous monitoring.
How DVV Solutions & NormShield can help
Monitoring and continuous oversight on your Third-Party vendors and supply-chain are critical. That goes beyond your organisation including anywhere your data is handled during the process.
NormShield Third-Party Risk Assessment continuously assesses an organisation, captures critical information in the cyber risk dashboard and provides detailed drill-down capabilities to fully understand each risk. Ongoing monitoring surfaces priority risks and measures cyber risk posture improvement over time.
By providing Cyber Rating (technical), Compliance Estimations (policies and processes) and FAIR results (the probable impact in financial numbers), NormShield’s vision is to give a complete risk picture of a Third-Party.
Request your Free Rapid Cyber Security Rating here.
This blog was originally published by NormShield and is shared with their kind permission.
About NormShield
NormShield enables enterprises to monitor their external cyber risk posture and perform non-intrusive cyber risk assessments of their suppliers, subsidiaries and target acquisitions. Using easy-to-understand reports, we provide standards-based letter grades on various risk categories, along with data on how to mitigate each risk in priority order. Learn more at www.normshield.com.