Small and medium-sized enterprises (SMEs) heavily rely on external suppliers to enhance their operations and offer specialized services, as they rarely have the resources to internalize all required functions.

While these partnerships are essential for the company’s operations, they also introduce potential cybersecurity risks.

Implementing a solid third-party risk management program is vital to assess, monitor, and mitigate these risks. This article delves into how you can protect your assets and reputation from potential third-party risks.

Why Third-Party Risk Management is Essential

1. Increasing Cybersecurity Risks

External suppliers often have access to sensitive data and systems within our company. A typical example is outsourcing IT services.

If these suppliers do not have adequate security measures, they can become weak points that affect our own company.

It is common for cybercriminals to attack external suppliers, who sometimes have laxer security measures than the companies they work for, becoming the weakest link. Successfully compromising one of these suppliers could mean access to multiple networks and companies simultaneously. This was the case with the SolarWinds attack 1, which allowed attackers to access more than 18,000 companies and organizations worldwide, including the US Departments of Health, State, Homeland Security, and Treasury, as well as companies like FireEye, Intel, Cisco, and Microsoft.

SolarWinds Logo

2. Regulatory Compliance

Many industries have strict regulatory requirements for data protection and cybersecurity. For example, regulations such as GDPR, NIS2, or DORA, which dedicates an entire chapter to the topic (V), require companies, including their external suppliers, to maintain high-security standards for their data.

DORA Regulation - Digital Operational Resilience Act
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022R2554

DORA Regulation Index on Third-Party Risk Management
Excerpt from the DORA Regulation

Failing to manage third-party risks can result in non-compliance, leading to fines and legal consequences. A solid Third-Party Risk Management program helps ensure that all suppliers meet regulatory standards, protecting the SME from potential compliance issues.

3. Reputation Protection

A security breach caused by an external supplier can have serious repercussions on an SME’s reputation.

As we have mentioned several times, large companies usually have greater capacity to manage and adapt to crisis situations. However, the same breach in smaller organizations can end the business.

The erosion of customer trust, as well as the costs associated with responding to the incident and subsequent recovery, often need to be absorbed into the company’s cost structure, making it much less competitive.

Third-Party Risk Management Program

Some key components of a third-party risk management program are:

1. Supplier Assessment and Selection

Before committing to a new supplier, it is crucial to know their security practices.

Large companies go so far as to evaluate the security program and conduct security audits of their suppliers. However, small and medium-sized enterprises rarely have the capacity or position to demand this type of relationship.

In this regard, it is recommended to turn to reputable suppliers who advertise their security practices, such as certification in associated standards and norms, like ISO 27001 or the National Security Scheme (ENS).

2. Continuous Monitoring

Cybersecurity is an ongoing process. In this regard, it is recommended to conduct periodic reviews of contracted external suppliers to ensure they maintain or improve their security standards over time.

3. Secure Contracting

One of the main aids that companies contracting external services can have is to demand security contractually.

These documents should detail security expectations, compliance requirements, and consequences for failing to meet these standards. Clearly defined contracts hold suppliers accountable and ensure they maintain adequate security measures.

A very common example is companies that contract third-party developments but make the mistake of not including security requirements as part of the project. This usually ends up in additional costs, as security flaws cannot be contractually demanded to be resolved once detected.

4. Incident Response Planning

Despite having the best preventive measures, security is never guaranteed. Incidents can occur, and having a well-defined response plan that includes external suppliers ensures a coordinated and effective response to any security problem.

In the case of external suppliers, the plan should detail precisely, in addition to the steps to follow, what the roles and responsibilities of all involved parties are and the communication protocols to be followed.

Conclusion

Third-party risk management is a critical component of cybersecurity for small and medium-sized enterprises. However, these types of companies rarely have sufficient internal knowledge to analyze, design, and manage a comprehensive risk management plan.

Analyzing our suppliers, understanding the risks they could potentially generate in our company, establishing security requirements in contracts, and implementing mitigation measures or defining response plans are actions that can be developed with the support of specialized companies like ours.