How Well Do You Know Your Third Parties?

5 minute read

April 2023

by cybergrx

How well do you know your third parties? Are your records accurate and up-to-date?

Modern economies rely on third parties, but they also pose a significant cyber risk. In fact, 67% of data breaches stem from third-party compromises. Third parties encompass vendors, partners, suppliers, contractors, service providers, and consultants– basically, any company or individual with whom you have entered a business relationship.

Some of the many challenges of having a large third-party network is maintaining a current inventory of who they are. After all, if you don’t know which third parties are in your network, you can’t understand your potential risks and vulnerabilities from these relationships. For example, nearly half of the companies impacted by the SolarWinds incident didn’t even know they were using SolarWinds. The last thing you want is to be notified by a third party–that you didn’t even know you were using–that they had a breach. The goal here is to be proactive and informed.

Correctly Identifying Each of Your Third Parties 

Third parties should be systematically and continuously tracked, beginning with the full legal name of the registered business, company, or individual. To avoid expensive errors caused by ambiguity, never track them by their brand name, trademark name, alternate names, DBA names, software titles, websites, or other potentially confusing identifiers.

This table shows commonly mistaken third-party names (the brand) vs. the parent company that owns them. Referring to a third party by the brand names can create confusion and error when it’s time to evaluate them.

Brand Names 

Parent Company

Google Drive

Google LLC (Parent: Alphabet Inc.)

SharePoint

Microsoft Corporation

MacBook

Apple Incorporated,

Gillette

The Procter & Gamble Company

Photoshop

Adobe Systems Incorporated

Unix

The Open Group

Exxon

The ExxonMobil Corporation

Identifying the exact third-party company and its impact on your business during a data breach is not ideal. Thus, it’s essential to conduct due diligence systematically before entering into a third-party relationship to prevent such scenarios. As an example, there are 8,878 registered companies with “Fidelity” in the name. If you only have “Fidelity” listed as your third party, would you know which one it is? 

Establishing Cyber Relevance

When conducting a cyber risk analysis of your third parties, it is essential to establish the third party’s cyber relevance. For example, a cloud storage provider that hosts a company’s intellectual property is highly valuable and cyber-relevant, given that they hold the company’s most important data. But what about a small business that cares for your office plants? It might be easy to discount them as not cyber-relevant since they do not maintain any company data. However, you might want to rethink your classification if they have after-hours access with minimal supervision to areas where secure data is housed or accessed. This seemingly non-cyber-relevant company could become very relevant with a simple USB thumb drive from a malicious contractor used by your third party. 

Let’s look at another scenario. What about a travel services company maintaining records on every executive’s travel schedule? Could this data have value in the wrong hands

Or how about an HVAC services company or even a company that monitors fish tanks in casinos? 

These are all examples of high-profile, multimillion-dollar data breaches through a third party. The point here: your third parties’ cyber relevance needs to be evaluated carefully.

Performing Your Due Diligence

When analyzing your third parties, it is important to examine the product or service they provide and how your company interacts with them. Your objective is to understand the interaction they have with your: 

  • Applications
  • Business Processes
  • Data, Devices
  • Digital Identities
  • Facilities
  • Networks
  • People

The more significant the interaction they have with your company, the higher the risk they present and the stronger the due diligence you need to perform to ensure that you and the third party have the appropriate controls in place. Third parties with a high interaction with your company will have a more significant, more costly impact on you should they experience a security incident.

Because the risk of digital fallout is so high, third-party data gathering and due diligence should be integrated into your procurement process. Before approving a new third party, a minimum of the following should be obtained and tracked:

  • Full Legal Name of the third party entity, including corporate ending such as Corp., Group, Inc., LLC, LTD, PC, etc.
  • The full legal name of the parent company of your third party (if applicable). 
  • Third party’s full headquarters address and primary phone number.
  • The primary domain name (used for numerous security ratings and security assessment companies).
  • Product or service the entity provides your company, including how/when the product or service is used.
  • At least two contacts at the third party that you can reach out to for questions on cybersecurity controls or in the event of a security incident. (Phone and email)
  • Inherent risk ranking. CyberGRX provides Auto Inherent Risk insights to automate the process, replacing the manual work of determining your inherent risk.
  • Residual risk ranking (especially if they interact significantly with your company’s data, facilities, people, applications, business processes, networks, devices, and/or digital identities). CyberGRX Predictive Risk Profiles are especially effective, with up to a 91% accuracy rate.
  • The department and internal contact of the primary internal stakeholder(s) for the product or service. 
  • Impact to you if the product or services provided by the third party were immediately severed due to a security incident.
  • Financial and contract Information, including automatic renewal dates.

Ideally, the above should be reviewed and updated annually as a part of your formal contract renewal process.

Cyber Risk Visibility Beyond the Immediate Organization

Of course, evaluating third parties is a time-consuming process, and it’s not possible or practical to assess each one every year. Third-party risk management platforms like CyberGRX are instrumental for gaining portfolio-wide risk visibility and awareness to determine which of your third parties pose more significant risks and need deeper evaluation. 

CyberGRX also provides organizations with enhanced cyber risk intelligence, enabling security practitioners to make well-informed decisions regarding vendor access, third-party security control implementations and remediations, and even supplier decisions on a larger strategic level.

Mitigating Third-Party Risk

In short, as cyberattacks increase in volume and sophistication, it’s only a matter of time before critical third parties in your ecosystem succumb to security failures, if they haven’t already. With the proper third-party risk management measures in place, organizations are better positioned to thrive when digital interdependence is a standard mode of business operations. 

Effective third-party risk management starts with knowing who your third parties are and how your company engages with them, then identifying who the risky players in your portfolio are, so you can proactively address them. By doing our part in identifying and remediating risks, our digital world is safer for all of us.

For more information on CyberGRX and our risk Exchange platform, we invite you to book a demo.

Related Articles

About Us

ProcessUnity is a leading provider of cloud-based applications for risk and compliance management. The company’s software as a service (SaaS) platform gives organizations the control to assess, measure, and mitigate risk and to ensure the optimal performance of key business processes. ProcessUnity’s flagship solution, ProcessUnity Vendor Risk Management, protects companies and their brands by reducing risks from third-party vendors and suppliers. ProcessUnity helps customers effectively and efficiently assess and monitor both new and existing vendors – from initial due diligence and onboarding through termination. Headquartered outside of Boston, Massachusetts, ProcessUnity is used by the world’s leading financial service firms and commercial enterprises. For more information, visit www.processunity.com.