5 ways to manage third-party cyber risk

Third-party risk management is not just an IT issue - cyber risk

When it comes to cyber risk, third-party risk management is not just an IT issue. Image: Unsplash/Philipp Katzenberger

Jan Bau
Vice-President of EMEA, SecurityScorecard
Our Impact
What's the World Economic Forum doing to accelerate action on Cybersecurity?
The Big Picture
Explore and monitor how Cybersecurity is affecting economies, industries and global issues
A hand holding a looking glass by a lake
Crowdsource Innovation
Get involved with our crowdsourced digital platform to deliver impact at scale
Stay up to date:


This article is part of: Centre for Cybersecurity

Listen to the article

  • Organizations must prioritize safeguarding their third-party vendor ecosystem in the wake of a rise in cyberattacks.
  • Third-party risk management is not just an IT issue, it's a business issue.
  • Through a holistic approach, businesses can increase cyber resilience, and transform it into a competitive advantage.

Following the recent MOVEit hack, it is clear that more needs to be done by organizations to safeguard their vendor ecosystem. Indeed, research from SecurityScorecard and the Cyentia Institute found that 98% of organizations do business with a third party that has suffered a breach. The report also found that the average firm has 11 third-party relationships and hundreds of indirect fourth- and nth-party relationships. Bottom line: an expanding attack makes companies more prone to cyberattacks.


How is the Forum tackling global cybersecurity challenges?

Even organizations with a third-party risk management (TPRM) programme in place may still experience issues because regularly monitoring vendor compliance can be a struggle without the right level of buy-in. While many organizations have an IT and/or Information Security (InfoSec) team, those departments might not be the right fit for running TPRM. Though proficient on the technical side, there’s still compliance, contract management, and working with vendors to consider. Rather than assigning more work to a department that’s already stretched thin, a more holistic approach to TPRM can help.

Third-party risk management: not just an IT issue

When it comes to third-party risk management, it’s vital to establish processes and guidelines for how data is gathered, answers are reviewed, and issues are remediated. Additionally, selecting a questionnaire and evidence-collection solution will help make the process go smoother and minimize the chances of becoming overburdened with constant emails and multiple data points. With this technology in place, organizations are better positioned to increase their cyber resilience and reduce risk across the vendor ecosystem.

Have you read?
  • Global Risks Report 2023

Vendor risk management may sound like an IT issue, but in reality, it’s a business issue. If companies want their customers to trust them, they must first trust their vendors. When more departments fold TPRM best practices into their daily workflows—before vendor risk turns into an issue—vendor risk management will go from a pain point to a strength.


5 best practices to effectively manage third-party cyber risk

To effectively manage third-party risk and ensure your organization stays secure, it’s important to implement the following best practices:

1) Assess third-party risk

When assessing the risk posed by a third party, it’s important to focus on the areas that are most critical to your business. Additionally, scoping the assessment based on inherent risk and vendor data ensures that you’re dedicating resources to the areas that are most likely to be targeted by attackers. This means taking a risk-based approach to your assessments and leveraging cyber risk data to better understand the security posture of each vendor.

2) Identify inefficiencies within workflows

It’s not enough to simply assess the risk posed by third-party vendors; you also need to identify inefficiencies in your own processes and workflows. By doing so, you can build solutions into your roadmap that address these inefficiencies and improve your overall security posture. This includes looking at everything from your vendor onboarding processes to your incident response workflows and identifying areas where automation and streamlining can help.

3) Align internal and external control assessments

To effectively manage third-party risk, it’s important to align your internal and external control assessments. This involves ensuring that the controls you use to manage risk internally are mapped to similar risks among third-party vendors. By doing so, you can ensure that everyone is speaking the same language when it comes to risk management, and that there are no gaps or inconsistencies in your approach.

4) Incorporate continuous monitoring

It’s not enough to simply assess third-party risk once and then move on. To ensure ongoing security, you need to incorporate continuous monitoring into your processes. Leveraging automation to monitor your vendors in real-time, flagging any potential issues as soon as they arise, and working with your third parties to remediate those issues are ways to be proactive in your response to threats, and ensure that you’re always on top of the latest risks.

5) Prioritize real-time visibility

From the moment a vendor comes on board, all the way through off-boarding, it’s important to continuously track their cyber health. By doing so, you can ensure that you’re able to identify any potential risks or issues as soon as they arise and take action to mitigate them before they become major problems. This means leveraging automation and real-time monitoring to ensure that you always have a clear view of your vendor risk posture.

Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

Sign up for free

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.

World Economic Forum logo
Global Agenda

The Agenda Weekly

A weekly update of the most important issues driving the global agenda

Subscribe today

You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.

FBI takes down army of ‘zombie’ computers. Here what to know

David Elliott

June 19, 2024

About Us



Partners & Members

  • Join Us

Language Editions

Privacy Policy & Terms of Service

© 2024 World Economic Forum