Most organisations have some sort of programme for assuring themselves about the cyber security defences of their Third parties - typically Suppliers, Vendors or Partners.
As a Cyber Security vendor and third-party risk management tool and services provider, we have seen a number of these programmes in action. These are some of the mistakes we see repeated and some suggestions on what to do about them.
Mistake #1 - make up your own cyber security checklist
The International Standards Organisation and the UK's National Cyber Security Centre to name just two bodies have spent a lot of time and money devising perfectly decent standards which are readily tested and assured against by a whole eco-system of third parties. So why do so many organisations make up their own checklists for cyber security?
Even if there is a special emphasis to be made on one particular control, surely it makes perfect sense to adopt some commonly available standards as your starting point. There are so many benefits;
The check-list will be kept up-to-date at someone else's expense
The checklist has several guides, books and training courses about it
There are many specialists to help the third parties if they need it
You can get other people to independently assess the third party
And the third party will probably pay them to be assessed
You can check if they already have a certificate with a single question and save a LOT of effort
And, last but by no means least, the third party actually receives something of value if they complete it (the standard or certificate)
Our advice is, base your third party assurance around commonly used standards and supplement with further questions if you absolutely have to. We would suggest (in the UK); Cyber Essentials, IASME Governance, & ISO27001.
Mistake #2 - make everyone complete the same assessment
Even more surprising than mistake #1, is the determination of some cyber security assessors to enforce adherence to a draconian high-level cyber security checklist on every single third party or supply regardless of context.
We have seen one-person businesses who have zero chance of inducing a meaningful breach sent 150+ question ISO27001-based checklists with not a word in the way of explanation or help. ISO 27001 is for large organisations not for people who’s IT infrastructure consists of a laptop and a mobile phone.
Naturally enough, when the small supplier simply refuses to comply out of frustration, they're typically nodded through with no assessment at all - leaving the buying side in ignorance as well!
Our advice is, undertake a short but systematic third-party impact assessment before deciding which approach to take for each third-party. Establish what the potential or inherent risk is and then assess accordingly. You can also undertake an assessment for the potential for data privacy issues and GDPR by carrying out a simple data privacy assessment at the same time. Develop a simple table along these lines;
Impact > Assessment approach
Very Low (e.g. paper clip provider) > None
Low > Cyber Essentials
Medium > Cyber Essentials Plus
High > IASME Governance
Very High (e.g. vendor of HR system) > ISO 27001
But you can of course develop a table of your own. The main thing is to have one.
Mistake #3 - leave it to your in-house cyber security team
In-house Cyber Security teams are busy protecting your organisation. They have a set of responsibilities that never end - there is always more you can do to protect the organisation. So when you drop the name of a third party on them for an assessment it will rarely be the most important thing on their plate. For this reason the cyber checks often take a long time to complete. What's more, the cyber security team don't have the time or necessarily understand how best to communicate the findings (which are never binary) to either the internal stakeholders or to the third-parties themselves.
Our advice is to get help, and also to take a risk-assessed approach. For example;
Impact > Assessment approach
Very Low > None
Low > Cyber Essentials - self-assessed approach, share the question set with the third party
Medium > Cyber Essentials Plus - insist on seeing the certificate number, direct them to a IASME/CE+ assessment house if none forthcoming
High > IASME Governance - insist on seeing the certificate number, direct them to a IASME/CE+ assessment house if none forthcoming
Very High > ISO 27001 - outsource assessment to a specialist Third party cyber assessment provider
The overall approach should of course be agreed in advance with your cyber team, but set it up in such a way as to keep their involvement to the minimum except here they absolutely have to be involved.
Crossword can help in many ways with Third party assurance and especially in the area of Cyber Security. Our Rizikon Assurance tool is an excellent platform for all types of third party risk assurance.