5 steps for third party risk management

The security of the #SupplyChain is perhaps our greatest concern at LEET Security and where the use of the rating can make a big difference, both for suppliers and customers.

And let's face it, it has some selfishness, but of the kind that aims for everyone to be safer in order for us to be safer too, given that the more companies invest on cybersecurity, and the more the cybersecurity of the value chain is strengthened, all together, as an ecosystem, we will be safer.

#StrongerTogether

Context

This year's 4th 'Business and Cybersecurity' Study, focusing on value chain security as a necessity and an obligation, notes the growing importance of suppliers to an organization's security: half of its risk depends on the level of protection of its supply chain. We are increasingly dependent on suppliers with growing access, or connected, to our internal network. And in this scenario, two out of five attacks have come through suppliers.
In this context, only half monitor their suppliers on an annual basis and, most worryingly, 14.9% of organizations never evaluate them.

5 steps to improve security

Therefore, for those organizations that want to improve the security of their third parties, we recommend working on the following aspects:

1.- Involve all corporate stakeholders.

It is not possible to manage third party risk effectively and efficiently if all affected areas are not involved: Business, Procurement, Compliance, DPD, Risk and Cybersecurity.

2.- Design a holistic proces

Being in a weak position of defense means that the smallest loophole can generate a significant incident, so the process must address all relationships with third parties (not just suppliers).

3.- Integrate cybersecurity as another risk in the procurement process.

Cybersecurity must form part of the negotiation with the supplier itself to the same extent as the other components of the service.

4.- Identify and characterize the inventory of third-party services

What is not known cannot be protected. It is necessary to know how many services have been outsourced and how critical they are for our organization.

5.- Trust but verify

Questionnaires are not reliable and neither are management systems. It is necessary that the information is confirmed (better by the supplier itself and with an independent third party).

All you need is LEET

Suscribe to our newsletter here