Third-party risk management has been a growing concern over the past decade, as weaknesses in a vendor’s security posture could have a detrimental impact on your organization. Countless examples of third-party breaches have occurred, from the infamous Target breach in 2013, where hackers stole the payment card and personal data of 70 million customers, to the recent CDK ransomware incident, which has affected thousands of car dealerships across the nation.
But third-party risk does not stop at your vendors. A strong understanding of how your vendors store and process your information and what services or vendors they rely on (fourth-party risk) can reduce the likelihood of a third-party incident.
Fourth-party risk refers to the potential risks introduced by a vendor, partner, or supplier of an organization’s third-party vendors. Essentially, these are your vendor’s vendors. These risks are particularly difficult to manage because organizations often lack visibility into these indirect relationships.
When building a vendor risk management program, be sure to build controls to address fourth-party risk:
- Identify critical fourth parties by examining third-party relationships and subcontractors.
- Assess the risk posture of third parties by reviewing SOC reports or similar audit protocols.
- Implement oversight controls through contracts and policies with third parties.
- Utilize tools for fourth-party activity monitoring, such as GBQ’s partnership with SecurityScorecard.
- Ensure your employee termination procedures include termination activities for third-party tools and resources.
Regular communication with your vendors, service providers, and external partners can help your organization stay ahead of third- and fourth-party risks to better protect your organization.
Contact GBQ’s IT team to learn how GBQ can help empower your business continuity and vendor management programs.
Article written by:
John Stuart
Senior Cybersecurity Analyst
