Once third-party (vendor) risk assessment has matured, the focus may likely move to fourth parties.
You’re concerned about your vendor’s cybersecurity posture. One of their vulnerabilities could lead to your sensitive data being exposed, like happened to Target, and damage business.
To cover your bases, you’ve been conducting vendor assessments. But many of these reports are insufficient & cumbersome, so you may have started turning to automated, objective third-party risk assessments, perhaps one offered through a company like RiskRecon [Disclosure: I’m a former employee of RiskRecon and a big fan of their product. I’m not paid/asked by them to feature them in this article.]. All of these efforts are commendable and highly useful.
But have you considered your vendor’s vendors? What would happen to your org if one of their third-parties vendors is breached? This is a question that the industry isn’t yet ready to answer. But the risk does exist. For instance, you’re worried about your third-parties, but are you worried about your vendors’ third-parties (i.e., fourth-parties).
This happened to consumers with Target. They were concerned with Target’s security posture but hadn’t considered what would happened if one of Target’s vendors (a fourth-party from the customer’s perspective) was breached. As a result, peoples’ Target credit cards were exposed, and Target’s A/R account plummeted to zero.
As the industry matures in assessing third-party risk, I can see the focus moving towards fourth-parties. If this does happen, what would it mean? Most likely:
- Organizations’ security posture will be regular scrutiny
- Any org serious about doing business will need to produce objective, security-risk statements (much like producing financial statements)
- Security clauses in contracts will take on even greater importance
- Orgs may care more about their security, and hopefully we’ll start to see fewer breaches (at least the ones that cause harm to people & orgs)
As the InfoSec industry continues to mature, your vendors’ potential customers may want to look at your org’s security posture. It’s a good idea to be prepared in the coming years to have a good security posture and processes in place.