Every company outsources parts of its operations to multiple suppliers. Those suppliers, in turn, outsource their operations to other suppliers. This is fourth party risk. The risk to your company posed by suppliers' suppliers. Confusing, isn't it? The best way to frame it with a case study, so please read on!
You help look after Information Security at a manufacturing company.
Your company has got a policy for everything, including the policy to regularly maintain all the policies.
The cybersecurity staff training program you started is now underway, and you're becoming confident that employees are gradually learning not to open all the emails.
You're in the top 5% of InfoSec teams and use a risk scoring platform such as UpGuard CyberRisk to scale your team with automation. You're scoring and monitoring your third-party vendors, and automating your vendor security questionnaires.
It's August 9th, 2018. You read UpGuard's report disclosing a breach at Level One Robotics. Very interesting, but you double-check your third-party vendors in CyberRisk, and there's no possible impact as your company isn't directly engaging Level One. Third-party risk - zero.
But wait. You use CyberRisk to drill down a bit deeper, and more facts emerge:
- CyberRisk tells you that Level One Robotics is using BlueHost, a web hosting company.
- Your company has started a project to outsource web hosting to BlueHost.
- This was a breach involving the rsync tool, possibly caused by misconfiguration of web-facing infrastructure.
- You immediately notify the project team who begin making enquiries with BlueHost about the impact to the project.
- You then prepare a set of security questions tailored to this type of risk for BlueHost to resolve. This is easy, because you are already automating vendor security questionnaires with CyberRisk.
You've just managed your exposure to fourth party risk. It's not just your suppliers, but your suppliers' suppliers that matter.
Fourth-party relationships can get really complicated, and quickly become exponential. If your company uses 30 third-party vendors, and each of them use 30 vendors. That's 900 vendors to monitor. A breach at just one of those vendors could cascade through to your business.
How UpGuard can help
UpGuard CyberRisk's fourth party vendor monitoring helps you manage the increasingly complex world of third and fourth-party risk.
Using CyberRisk, you can quickly drill down to fourth-parties and monitor your exposure to their risks. By doing this, you're staying across this emerging problem, with our automation helping you your scale your team.
Next: Learn more about Fourth Party Risk with our free buyer's guide