Managing third-party risk is a top cybersecurity priority for organizations connected to extensive supply chains. But even those with comparatively small supply chains need to worry about the risks vendors pose. As for the vendors, they have a responsibility to due diligence. They need to do their parts to ensure they don’t create unnecessary risk for anyone else in the supply chain.
At DarkOwl, third-party risk management is an exercise rooted in darknet intelligence. They assist clients in the practice of intelligence gathering for the purposes of exposing potential risks so that they can be addressed.
DarkOwl recommends that vendors adopt a comprehensive checklist for guaranteeing their own cybersecurity. When vendors are secure, they pose little to no risk up and down the supply chain. Although I could not find an official DarkOwl checklist, I put one together based on my own research:
Organizational Security
Each vendor must have its own security strategies and policies in place. In other words, protecting the rest of the supply chain begins at home. Vendors should:
- Develop and/or verify a formal cybersecurity policy.
- Create a dedicated in-house security team.
- Conduct regular security awareness training among employees.
- Conduct background checks on both current and incoming employees.
An organization’s external security posture is only as good as its organizational security. Vendors need to make sure their own houses are always in order.
Risk Management
Vendors should be managing their own risk rather than leaving it to other entities further up the supply chain. Risk management includes assessment. Vendors should:
- Routinely evaluates their own risk assessment processes.
- Implement and verify a comprehensive risk management program.
- Assess and modify (if necessary) their incident response plans.
Assessing and managing third-party risk starts with the vendor itself. When vendors practice appropriate risk management, other organizations in the supply chain are safer.
Data Protection
Third-party due diligence also includes data protection. Vendors should:
- Routinely evaluate data protection measures.
- Implement proven encryption strategies.
- Evaluate all access control mechanisms.
- Assess data handling and privacy practices.
In this particular area, routine evaluations may turn up weaknesses in need of remediation. Policies and practices should be modified as-needed to keep up with the threat landscape.
Third-party Risk Compliance
Vendors are expected to maintain necessary compliance and certification requirements. As such, they should:
- Verify compliance with relevant regulations, at least annually.
- Investigate and apply for industry-standard certifications.
- Verify adoption of proven cybersecurity frameworks.
Compliance reviews and certifications demonstrate a vendor’s willingness to do what it takes to assess and manage its own risk. Organizations expect nothing less from their vendors.
Network and Infrastructure Security
Next on the checklist is network and infrastructure security. Vendors need to take an active role in maintaining their own infrastructure. They should:
- Analyze and understand the attack surface.
- Review all network security measures.
- Develop strategic update and patch management processes.
To the extent vendors pay attention to their own network and infrastructure security, they protect others in the supply chain from looming threats.
Threat Monitoring
The final item on the due diligence checklist is threat monitoring. Vendors should have policies and processes in place to guarantee ongoing performance monitoring. They should be conducting periodic reassessments of all policies and procedures.
Third-party risk is a major concern given that organizations have a limited ability to control what vendors do. Venders have an obligation to make sure they protect themselves as well as those organizations to whom they have access. If everyone does their part, up and down the supply chain, every stakeholder is more secure as a result. It’s all about due diligence.
