The importance of monitoring third-party vendors has increased in recent years with the numerous data breaches originating in vendor systems. You have likely heard from news coverage of major breaches that because of how interconnected organizations are today, it’s critical to make sure your vendors aren’t leaving your data exposed.
But have you considered the subcontractors of your vendors? These organizations are known as your “fourth parties”—and they deserve your attention as well. Consider this potential scenario: If you have 100 vendors in your supply chain and 60 of them are using a certain provider for a critical service, what will happen if that critical provider experiences downtime or is breached?
Even relatively small service providers can cause major disruptions or outages to a swath of companies relying on them. For example, in October 2016, DNS provider Dyn was flooded with traffic from a distributed denial of service (DDoS) attack, which forced many of its customers—like Amazon and PayPal—to go offline during the attack. If your company, your vendors, or their vendors used Dyn for DNS services during that time, your business may have been impacted by the outage.
With all of this in mind, many companies are starting to pay more attention to the impact of fourth-parties on their vendor ecosystem. The trouble is, companies often aren’t sure where to begin in order to adequately conduct these fourth party security audits, so they end up feeling “blind” in the relationship. It may no longer suffice to simply add language in a vendor contract that asserts that everything that applies to your third-party vendor also applies to the vendor’s subcontractors. So, here are a few tips to get you started towards solidifying a complete fourth party audit process.
4 Tips For Monitoring Your Fourth-Party Vendor Risk
1. Keep your industry regulations in mind.
Because the discussion around fourth-party vendor risk is still relatively new to some security programs, you may need to dig into any industry regulatory guidelines on your own. Come examination time, your auditors will certainly be asking about how you’ve upheld these risk management regulations during your fourth party audits, and you’ll want to be well-prepared.
2. Open up a discussion with your third-party vendors.
We understand that one-to-one vendor relationships are hard enough without considering your vendors’ vendors. But simply starting a conversation with your third parties is a good step to take. A key part to an effective fourth party audit process begins with your vendor’s reporting process. You need a view into whether the critical data you share with your vendors is being passed along through any service providers with poor security practices.
3. Assess the fourth parties connected to your vendor ecosystem.
Once you’ve opened up discussions with your third parties and understand which fourth parties touch your sensitive data, you can better assess and audit the risk they present. You’ll want complete information about the security posture of the fourth parties with access to your data.
The trouble is, gathering this information in a fourth party audit isn’t always as simple as it sounds. Some of your vendors may not even know what subcontractors they’re connected to and may not have any insight into which of those vendors have access to your data. That’s where Bitsight Discover comes in. Bitsight Discover is the only vendor discovery solution that highlights potentially risky service providers connected to your vendors—which cuts out a great deal of the legwork for you and the guesswork for your vendors during the fourth party audit process.
4. Monitor your fourth-party vendors via Security Ratings.
Once you have a complete list of your critical fourth parties, continuously monitoring their security ratings is critical. If a security rating drops, that may indicate a sign of security weakness that should be addressed with the vendor you’re doing business with.
Don’t take your fourth-party vendor risk lightly!
If there’s a weak link in your supply chain network, and that link is exploited, it could critically impact your business. Third and fourth party risks shouldn’t be brushed aside or saved for later.Tackling it today with fourth party audits will help ensure you keep your data secure.