If auditors or examiners are requesting information on your vendors’ vendors, also known as fourth-party vendors, you may need to pump the brakes on your vendor risk management (VRM) program. Some VRM programs address only your immediate vendors (third-party vendors) and fail to provide an avenue for addressing fourth-party risk, which can make your organization just as vulnerable.
Even though you don’t have direct contact or even a contract with fourth-party vendors, you can still be liable if your current vendors don’t manage the security of their own vendors properly. If one of your vendor’s vendors gets hacked, there’s a possibility the attacker could access your network through your vendor’s environment.
Assessing Fourth-Party Vendors
In this vast ecosystem of connected businesses, it’s critical to know who your vendors rely on for critical business functions. These high-risk, fourth-party vendors are the ones you need to target and ask your vendors for:
- Information on the process and frequency of their vendor assessment program
- Results of the most recent high-risk vendor assessments, including remediation efforts
- A copy of their vendor management policy
Due to privacy issues, your vendors might not be able to divulge some information about their own vendors. Contract terms can often limit the information that is shared. However, at a minimum, you should require that all of your critical vendors have their own vendor risk management programs and certify to it. There are other alternate measures you should take and incorporate in your best practices as well.
Continuous Vendor Monitoring
Internet-facing assets, such as websites, networks, IP addresses and apps, are particularly vulnerable to attack and can provide a gateway directly to your sensitive data. Your vendors, and also your vendors’ vendors, should continuously monitor these assets for breach; however, most don’t.
Vendors make changes every day, and some of these changes can create vulnerabilities, rendering your most recent vendor risk assessment obsolete. Continuous vendor monitoring should be a critical part of your VRM program since it monitors all Internet-facing assets, scans attack surfaces for any issues that could create vulnerability, and alerts you of those potential risks, all hopefully before the vulnerability is discovered by an attacker.
ThreatScape, ProcessBolt’s continuous monitoring platform, is used by both enterprises and vendors to monitor their own Internet-facing assets, automatically receiving alerts on risks that may affect their environments and may impact the most recent vendor risk assessment rating and remediation recommendations. Threatscape can, and should, be used not only to monitor a company’s own Internet-facing assets, but also those of their critical vendors. In addition, your vendors can ask their own vendors to use ThreatScape, thereby monitoring outlying vulnerabilities from your fourth-party vendors.
ThreatScape allows you to see exactly how a hacker views the gaps in your environment. By simply loading your Internet-facing assets into the ThreatScape dashboard and letting it run in the background, ThreatScape continuously scans your attack surfaces, and those of your vendors, without impacting your systems.
See it in Action
Complete this form to receive a personalized walk-through of ProcessBolt and learn how we can enhance your organization’s third-party risk management program.