Over the last few years, awareness of the importance of monitoring third-party vendors has increased. You have likely heard—and agree—that because of how interconnected organizations are today, it’s critical to make sure your vendors aren’t leaving your data exposed.
But have you considered the subcontractors of your vendors? These organizations are known as your “fourth parties”—and they deserve your attention as well. Consider this potential scenario: If you have 100 vendors in your supply chain and 60 of them are using a certain provider for a critical service, what will happen if that critical provider experiences downtime or is breached?
There are thousands of questions you could ask your vendor about security. Can you determine which of them are the most important?
Even relatively small service providers can cause major disruptions or outages to a swath of companies relying on them. For example, in October 2016, DNS provider Dyn was flooded with traffic from a distributed denial of service (DDoS) attack, which forced many of its customers—like Amazon and PayPal—to go offline during the attack. If your company, your vendors, or their vendors used Dyn for DNS services during that time, your business may have been impacted by the outage.
With all of this in mind, many companies are paying more attention to the impact of fourth-parties on their vendor ecosystem. The trouble is, companies often aren’t sure where to begin in order to adequately monitor these fourth parties, so they end up feeling “blind” in the relationship. It may no longer suffice to simply add language in a vendor contract that asserts that everything that applies to your third-party vendor also applies to the vendor’s subcontractors. So, here are a few tips to get you started.
4 Tips For Monitoring Your Fourth-Party Vendor Risk
1. Keep your industry regulations in mind.
Because the discussion around fourth-party vendor risk is so new, you may need to dig into any regulatory guidelines in your industry. Come examination time, your auditors will certainly be asking about how you’ve upheld these risk management regulations, and you’ll want to be well-prepared.
2. Open up a discussion with your third-party vendors.
We understand that one-to-one vendor relationships are hard enough without considering your vendors’ vendors! But simply starting a conversation with your third parties is a good step to take. You’ll want to find out whether the critical data you share with your vendors is being passed along through any service providers with poor security practices.
3. Assess the fourth parties connected to your vendor ecosystem.
Once you’ve opened up discussions with your third parties and understand which fourth parties touch your sensitive data, you can better assess the risk they present. You’ll want complete information about the security posture of the fourth parties with access to your data.
The trouble is, gathering this information isn’t always as simple as it sounds. Some of your vendors may not even know what subcontractors they’re connected to and may not have any insight into which of those vendors have access to your data. That’s where BitSight Discover comes in. BitSight Discover is the only vendor discovery solution that highlights potentially risky service providers connected to your vendors—which cuts out a great deal of the legwork for you (and the guesswork for your vendor).
4. Monitor your fourth-party vendors via Security Ratings.
Once you have a complete list of your critical fourth parties, continuously monitoring their Security Ratings is critical. If a Security Rating drops, that may indicate a sign of security weakness that should be addressed with the vendor you’re doing business with.
Don’t take your fourth-party vendor risk lightly!
If there’s a weak link in your supply chain network, and that link is exploited, it could critically impact your business. Third and fourth party risks shouldn’t be brushed aside or saved for later. Tackling it today will help ensure you keep your data secure.