Like many modern-day organizations, yours likely relies on third parties for a variety of reasons, whether that’s the provision of specific materials or products through to outsourcing business tasks or activities. This dependency on trusted partners to provide goods or services is something that might be considered business and operationally critical. However, these third parties can also bring with them plenty of potential for risk.
In recent times, it’s not uncommon to hear of supply chains that have been compromised as a method to target an organisation, particularly when supply chain partners have a much weaker security posture than that of the target organisation. For example, you might remember the SolarWinds supply chain attack, where attackers used a valid digital certificate to deploy malware on SolarWinds’ own servers and infect its customers with a backdoor (the US Treasury Department being among its victims).
With the supply chain now being seen as a legitimate attack path, what can your organization do about it? And why is third-party risk management (TPRM) such a challenge? Let’s explore the top five challenges of TPRM and what you can do to overcome them.
1. Managing a large volume of suppliers
Research from Gartner (2019) indicates that organizations are working with more third parties than ever before and, of the organizations surveyed, 60% are working with more than 1,000 third parties. To conduct effective due diligence and ongoing management of such a huge volume of third parties requires significant resource, budget and expertise.
If you’re aiming to successfully manage such a high volume of suppliers, you need an effective system for categorization. This will help you quickly identify your most critical and high-risk suppliers. A clear, consistent and repeatable classification system for your suppliers will help your team focus on gaining the highest level of assurance from those that would have the greatest impact on your business should the worst happen.
We recommend you work closely with procurement teams to implement a mechanism to help you quickly identify your most critical and high-risk suppliers. This allows you to “eliminate the noise” of any third parties that would have little impact on your business should an undesirable event occur, particularly if your business has limited budget and resource. This approach also reduces the overall number of suppliers – which in turn, leads to a far more manageable third-party risk program.
Working closely with procurement and business stakeholders to qualify suppliers and risk levels early on also helps you to justify the cost of any resources used to undertake assurance activities. It also ensures that assurance is proportionate to the risks you’ve identified.
If your organization has a large supplier base, you might want to consolidate wherever possible. This will help minimise administrative efforts and reduce attack surfaces within supply chains.
2. Identifying your most critical and high-risk suppliers
Another common challenge of third-party risk management programs is identifying your most critical and high-risk suppliers. This means it’s vital that you work closely with the business to establish clear criteria on what is important based on risk appetite. Common criteria might include:
- Supplier access to company data
- Personal data processing
- Access and processing of regulated data types (e.g. cardholder data)
- Operational criticality
- Resilience
An example of this could be a manufacturing organization that’s dependent on a key supplier for provisioning critical materials for the manufacturing process. That supplier might have a small contract value, but it’s deemed operationally critical. This is because if the supplier were to experience any difficulties, it would directly affect the organization’s ability to manufacture the product. This is why operational criticality is a key factor when assessing and categorizing your suppliers.
Once you’ve established your criteria, you should then work on developing a set of simple, easy-to-answer questions. The aim here is to enable the business to quickly categorize vendors and determine the level of due diligence and assurance required. After categorization is complete, you can then take a proportionate level of due diligence against a chosen third party.
3. Supplier responsiveness and participation
Another major challenge of third-party risk management programs is supplier responsiveness and participation in the process. Many suppliers find themselves inundated by security questionnaires and, dependent on the value of your contract and relationship with the supplier, might not be as responsive as you’d like. Other suppliers will use their security accreditations (e.g. SOC2 type 2 reports, ISO 27001:2013 certificates) to streamline the process and complete security questionnaires more efficiently.
The key to overcoming this challenge is regular communication and a strong working relationship. We recommend that you schedule regular service review meetings (at least quarterly) and keep any supplier contact details up-to-date. In the event of any change to supplier services, this should be communicated clearly to the business representative.
The stronger your supplier relationships, the more responsive they will be to security questionnaires and due diligence requests.
4. Obtaining proportionate assurance
As we mentioned earlier, risk assessing and categorizing vendors allows your organization to focus on your most critical third parties.
Once categories have been identified, minimum assurance levels should be understood based on organizational appetite. Higher risk/impact/criticality vendors require higher levels of scrutiny from a security resiliency perspective, so your TPRM program should take this into account so proportionate assurance levels can be set based on risk. You can align this with industry certifications and accreditations such as SOC 2 type 1 or 2, or ISO 27001, to provide a benchmark for your suppliers to achieve.
5. Budget, resource and expertise
Budget, resource, and expertise can be the biggest challenge in third-party risk management programmes for many organisations with small teams and large supplier bases. You might have implemented previous recommendations, either to reduce supplier bases or target assurance on your highest risk suppliers. However, the end-to-end process of assessing a supplier’s security posture and communicating it effectively to the wider business can still be a challenge.
So what can you do to make things easier?
We recommend your organization uses automation wherever possible through software platforms and applications. SureCloud’s Aurora has a TPRM application that will automate onboarding your suppliers, issuing security questionnaires and calculating risk levels. It also helps you communicate risks to stakeholders and ensure consistent, repeatable processes are adopted.
Technology, in combination with expert support from experienced risk and cyber consultants, can ensure your suppliers are assessed in a consistent way. It can also help you communicate risk to business stakeholders in an easy-to-understand way.
Want to level up your TPRM strategy and overcome any of the above challenges?
Get in touch for a personalised demo of SureCloud’s third-party risk management software, Aurora.
