The Plain English Version
Third party risk is the security risk that comes from your suppliers, vendors, and partners. When you share data with a supplier or they connect to your systems, their security weaknesses become your problem.
Many major breaches start with a third party - attackers target the weakest link in the chain. Your security is only as strong as your least secure supplier with access to your data.
Supply Chain Attacks
Instead of attacking you directly, attackers compromise a supplier whose software or services you use. The SolarWinds and MOVEit breaches affected thousands of organisations through a single compromised vendor.
Types of Third Party Risk
- Data sharing - Suppliers who process or store your data
- System access - Vendors with access to your network or systems
- Software supply chain - Code and updates from software vendors
- Service dependency - Critical services that could disrupt you if they fail
- Fourth party - Your suppliers suppliers
Managing Third Party Risk
Know who your suppliers are and what access they have. Assess their security before onboarding. Include security requirements in contracts. Monitor ongoing compliance. Have exit plans for critical suppliers.
Proportionate Approach
Not all suppliers need the same scrutiny. Focus effort on suppliers with access to sensitive data or critical systems. A cleaning company needs less vetting than your cloud provider or payroll processor.