The hamster wheel of perpetual audits
If you have ever had to complete a third party audit request from your clients or a regulator, then you know how time consuming and challenging this can be! Depending on the volume this can feel like it is never ending!
There has to be an easier way and one that saves your valuable time so that you can get with what you want to do.
That's what this resource is about!
What you need to know
Third Party Risk - Is all about the potential risks that arise to your business from relying on external parties to perform services or activities on your behalf.
It is important to understand your third party risks so that you can be aware of any issues that could cause a significant impact to the operation of your business.
Third party risk can negatively impact your business by eroding the trust of your customers, causing serious legal and regulatory issues to your business for non-compliance and ultimately if you ignore it your business will likely cease to operate.
A cyber security vulnerability with your third party supplier that then exposes your data and sensitive assets to cyber criminals. The impact of which could be devastating.
What you should do
As well as starting to think about all of your third party suppliers you should also think about getting your own house in order.
At a basic level that means ensuring you have as a bare minimum the following in place:
Templates
76 key questions that you should be asking your vendors. Click on the image to get your free template.
Resources
Some useful things to think about and action
Categorise your vendors based on their importance to your business. Think about:
- Are they are an essential part of your core business?
- Are they a nice to have?
- Do they process your sensitive data?
- Do they your sensitive data?
Once you have worked that out then tier them into no more than 3 categories e.g. Tier 1, Tier 2 and Tier 3. Based off that you can decide which ones require a more thorough due diligence process than others.
Sounds obvious but so many businesses do not formerly define what their risk tolerance levels are. This is the amount or risk the business can afford to tolerate before it becomes a major problem.
This could be compliance, monetary, brand and trust related.
Create an Authority to Operate Process. The purpose of this is to ensure that all the required internal stakeholders in the business have signed off on the use of technology and the associated risks / tolerance levels have been communicated and understood by all parties.
This should be really simple to operate and not cause roadblocks.
Monitoring your vendors should be a continual process and carried out in as near real time as possible. Annual Third Party Risk assessments are ok but they are a snapshot in time and nothing more than a litmus test. So invest in automation and tooling to deliver continuous monitoring of your core vendors. These are the ones that if something critical happened could cause damage to your business.
Useful Tools
External tools that may help you improve your third party risk.
Third Party Risk
Security Scorecard
Allows you to monitor your company indefinitely for FREE and up to 5 vendors for 30 days. If you don't have the time we can manage this for you, please get in touch for options.
Generative AI
Vectara
AI Agent and assistance platform.
Use this to build your own knowledge based app or whatever your imagination dreams up!
If you enjoyed the information on this page...
Then you can get in touch with me on LinkedIn or drop me a message using the button, thanks!
Sign up to receive our cyber security tips and curated global security news.
*Data Privacy
Lvl 17, Angel Place,
123 Pitt Street,
Sydney
NSW 2000
(02) 7230 1350