In mid-April, KrebsOnSecurity reported that Wipro, one of India’s largest IT managed service providers, experienced a data breach impacting hundreds of thousands of their clients. The cause? An advanced phishing attack effecting a handful of employee accounts. These phishing attacks were then the gateway malicious hackers needed to target Wipro’s customers. What can we learn from this data breach? It all comes down to the need for effective third-party risk management.
How Can You Effectively Manage Third-Party Risk?
If you’ve entrusted a third party with access to your organization’s sensitive data, it’s understandable that you would want peace of mind that they’re doing everything they say they’re doing to protect that data. However, having effective vendor management programs isn’t a one-way street: both you and your third-party vendors are responsible for protecting sensitive assets. If you chose a bank and blindly trusted them to protect your money without performing your due diligence to understand just how they protect your assets and all of the sudden your money disappeared, it wouldn’t solely be the bank’s fault; it’d be yours too. The same goes for when you partner with a managed service provider. It can be easy to trust an established, well-known managed service provider, like Wipro, but that doesn’t mean you can ignore the obvious: any third party increases your attack surface and is likely to introduce new vulnerabilities into your environment if they aren’t vetted properly. What are some steps to effectively manage third-party risk?
5 Steps to Manage Third-Party Risk
We believe that effectively managing third-party risk begins with implementing the following five steps.
- Conduct a Risk Assessment Survey: Get input from management and department heads and so you can document specific risks or threats within each department.
- Identify Risks: Evaluate something like an IT system and identify the risks to the hardware, software, data, or IT personnel, and also identify the potential adverse events, like natural or man-made disasters.
- Assess Risk Importance and Risk Likelihood: Ask, “What is the likelihood of a specific event having a negative impact on a sensitive asset?” Typically, this is expressed subjectively or quantitatively (high, medium, low, or 1, 2, 3).
- Create a Risk Management Action Plan: Develop control recommendations to either mitigate, transfer, accept, or avoid the risk using the knowledge gained from identifying risk and assessing the likelihood of those risks having a negative impact on sensitive assets.
- Implement a Risk Management Program: Put the four previous steps into action by training your personnel and implementing controls to mitigate risks.
Include Your Third-Party Vendors in Your Audit: Why They Need an Onsite Visit, Too
Another way to effectively manage third-party risk is by including your vendors within the scope of your information security audits. Let’s say that you’ve outsourced your IT services to an organization like Wipro – an organization located across the globe from you. While you think they have a good reputation for delivering secure services, have you ever physically inspected whether they’re doing what they say they’re doing? Have you ever received third-party assurance that their internal controls are in place and operating effectively? Chances are, you have not. By including your third parties in your audit, our auditors will make sure that who you outsource to lives up to your standards.
Are you a managed service provider looking to demonstrate your commitment to security? Do you outsource any of your business processes to a managed service provider and want to ensure that they’re providing secure services? KirkpatrickPrice can help! Contact us today to learn about our risk assessment services and how we can help ensure that your business remains secure when you partner with vendors.