Faced with ongoing cybersecurity threats, businesses are making greater investments to protect their internal systems and data. When IT leaders sign contracts with third-party vendors, they may assume that security is built into the equation. However, this is not always the case. This can create an opportunity for cybercriminals to enter your IT infrastructure, explained Chris Gordon, integrated risk management portfolio manager at CDW, in a recent ServiceNow webinar.
In fact, “98% of organizations have a relationship with a third party that has been breached” in the past year, according to SecurityScorecard. Neglecting to identify these vulnerabilities can leave gaps in your defenses.
To dramatically reduce threats, CDW and ServiceNow experts say that businesses should prioritize third-party risk management in their security strategies. Here’s a definition of TPRM and some best practices for putting the process in place.
Click the banner below to learn how CDW and ServiceNow’s managed services can help your business.
Why Third-Party Vendors Are Vulnerable to Attacks
Too often, vendors may not meet the same stringent policies as a company’s internal standards. This can create blind spots that hackers can exploit. Without clear oversight of vendor practices, businesses risk unintentionally introducing vulnerabilities into their systems, Gordon said.
Inadequate due diligence is another factor. If security is an afterthought rather than baked into every step of a vendor’s processes, systems are immediately more vulnerable. However, “with the latest release of ServiceNow’s Xanadu platform, due diligence becomes seamless,” he said. The platform runs vendor vetting and comprehensive risk assessments during vendor onboarding so that far fewer vulnerabilities slip through undetected.
IT leaders may also rely too heavily on vendors’ compliance certificates or self-assessments, which don’t necessarily translate to taking robust security measures. As a result, organizations need to dig deeper to ensure that vendors are actively managing and mitigating risks, or better yet, running their own third-party risk assessments, Gordon said.
How Does Third-Party Risk Management Work?
Third-party risk management is a process that helps a business automatically vet potential vendors. IT leaders can run risk assessments through ServiceNow’s Xanadu platform to scan for cyberthreats, areas of regulatory noncompliance, operational disruptions and reputational damage. IT leaders can also evaluate risk based on whether a vendor aligns with their business objectives; the financial risk involved; and information security risk, which evaluates how safely information is stored and protected during the transaction and onboarding phases.
RELATED: Increase your security monitoring without new hires.
“Prior to now, vendor risk management has been time-consuming and error-prone, consisting of manual processes using emails, spreadsheets and siloed vendor risk management tools,” a ServiceNow blog notes. But with Xanadu’s automated processes, businesses can run an initial risk assessment, assess a vendor’s degree of safety, evaluate findings, remediate issues, report risks, monitor and even retire third-party vendors efficiently.
Ultimately, IT leaders gain a “broad view of risks and performance across the extended enterprise,” according to Deloitte research.
98%
The percentage of organizations that had relationships with breached third parties
Source: SecurityScorecard, “Global Third-Party Cybersecurity Breaches,” 2023
How to Improve Your Third-Party Vendor Security
Once IT leaders are aware of these vulnerability areas, teams can work to close those gaps. Here’s a 10-step checklist to improve risk management to protect critical business assets:
- Implement a comprehensive due diligence process. Use ServiceNow’s custom questionnaires to gather vendor-specific risk information and assess key security areas such as compliance, data handling and incident response.
- Centralize risk management with the Vendor Management Workspace. Use Xanadu’s Vendor Management Workspace to organize and track all third-party risk assessments, ensuring a single source of truth for risk data. This allows your team to keep track of third-party risk assessments, monitor vendor compliance and initiate due diligence with minimal friction.
- Leverage the Employee Center for streamlined task management. Assign due-diligence tasks, prioritize high-risk vendors and let users manage third-party assignments through the ServiceNow employee center. This is a “new self-service portal that allows users to initiate third-party due diligence,” Gordon said.
- Set up custom risk scoring. Use Xanadu’s risk scoring system to calculate and prioritize risks based on the responses from custom questionnaires, focusing on high-risk vendors that need closer attention. Or avoid these vendors altogether.
- Enable vendor access through the contractor portal. Xanadu’s contractor portal allows vendors to log in, complete due diligence tasks and track their progress. This transparency encourages vendors to take ownership of their security practices while IT leaders monitor performance.
- Regularly send standardized and custom questionnaires: Ensure ongoing vendor assessments by sending periodic questionnaires to evaluate evolving risks, including new compliance standards or operational changes. “Custom questionnaires are a new addition in the latest ServiceNow update,” Gordon said.
READ MORE: How the Chicago Bears and other small businesses found success with managed services.
- Create and manage improvement initiatives for high-risk vendors. Work with vendors that receive poor scores from ServiceNow’s platform and encourage them to enhance their security posture over time. For example, “Vendors can log in to the vendor portal to see their homework assignments and check the status of their requests,” Gordon added.
- Integrate third-party risk management with ServiceNow’s Configuration Management Database. Connect your third-party risk management workflows with ServiceNow’s CMDB to ensure that all third-party relationships are properly tracked and managed within your IT infrastructure.
- Customize SLAs to include security requirements. Teams can partner with CDW to establish clear service-level agreements that define vendor security expectations, such as breach response times, data protection measures and compliance obligations.
- Schedule periodic vendor risk Reassessments. Collaborate with CDW to establish a schedule for annual or biannual vendor risk assessments to ensure that your third-party risk management processes evolve with the changing security landscape.
UP NEXT: Managed service providers can help your organization achieve its business objectives.
By using tools such as ServiceNow’s Xanadu platform, organizations can streamline their third-party risk management process, ensure comprehensive due diligence and continuously monitor their vendor ecosystem for potential risks. Leveraging CDW’s expertise in implementing these solutions can also help businesses stay secure and cyber resilient.