Managing third- and fourth- party security risks


Modern business is increasingly connected, both locally and globally, while IT environments are becoming more diverse, thanks to the proliferation of cloud services, startups and other disruptions. This calls for a rethink of how information and intellectual property is secured from potential attackers.

As physical and digital supply chains become more important, so too does it become more important to have prudent strategies for dealing your supply chain’s security and compliance measures. This includes third parties (your suppliers) and fourth parties (your suppliers’ suppliers). The days of only needing to worry about the traditional ‘four walls’ security perimeter are long gone.

On-premises, hosted, and cloud-based applications all house information about your organisation. And nowadays application programming interfaces (APIs) that allow third parties access to some or all of this information are commonplace. Ignoring this ecosystem’s security requirements is asking for trouble, and CIOs must keep a close eye on their entire supply chain.

Defending the perimeter

You can’t put a firewall around your entire supply chain, and some security experts have gone so far as to say the notion of a security ‘perimeter’ is no longer helpful. There’s some truth in this, however it’s equally true that directly protecting your organisation’s information, physical systems and other assets from known and emerging threats is still crucial.

The trends that complicate this more traditional approach are those that extend or blur the line separating ‘inside’ from ‘outside’, including:

  • BYO devices and apps
  • social networks
  • cloud infrastructure and apps
  • platform-as-a-Service
  • selective sourcing agreements
  • APIs for automated data transfer

Your security architecture must these into account, integrating them into its framework and extending protections where necessary – isolation is not an option.


Securing the supply chain

Thanks to the advent of hosted services and applications, supplier security has become a concern for all businesses. There are several practical steps you can take to limit their risk when entering the cloud:

  • Do your homework: always investigate a new supplier’s security and compliance measures, with a focus on the technology and processes they have in place to protect your data.
  • Capture your data: backup all data you provide to your suppliers, even if it is just an archive; you don’t want to lose data because a supplier suffered an attack.
  • Build in your own security: investigate your own options (like encryption) for securing data that is used in a supplier environment.
  • Understand your data’s value: is the data in question simply too valuable to allow a supplier direct access to it?

Keep your friends close – and your business partners closer

Like supplier security, partner security centres on a risk profile to determine who is given access to what type of data. Keep a close eye on what you allow third parties to access and, in the case of APIs, review how you can revoke access in the event of a problem.

Today’s diverse partner and supplier IT architecture makes security more challenging than ever, but by adapting your security model to extend beyond the traditional perimeter, you’ll be doing your bit to keep your data safe and secure.