Most small businesses will collaborate with other organizations at some point in their lifespan. Whether you are having a contractor come in to configure services specifically for your own use or you are working with them to provide services for customers, you are bound to be required to provide third parties with access at some point.
Third parties can be huge vulnerabilities in your organization’s cybersecurity surface. If you share data with third parties or grant them access to your network resources to perform their tasks, you could end up having your resources compromised by threats originating in their systems. Think of it like spreading fleas. A friend returns from a vacation and unknowingly has fleas in their hair. When you go to a restaurant for dinner with your friend, the fleas jump over to your hair while you are sitting at the table.
Third parties can also compromise your resources intentionally. Just like with your employees, you can never fully trust third-party collaborators, no matter how badly you want to. A third party could use their access to your internal resources to copy trade secrets to their own systems, then share those secrets with other clients as a way of playing “both sides”.
There are several major precautions that need to be taken by any business to secure itself against third-party and supply chain threats. However, before you can implement these controls, you need to clearly document all third-party entities that are provided with access to your business network. Whether these are entire organizations or specific individuals, they need to be documented if they are given any kind of access to your systems, network, data, or physical premises. You should clearly document the entity's name, the level of access they are afforded to your resources, and their primary contact information. You can use the template attached below to complete this task. As with all cybersecurity documentation, make sure this spreadsheet is properly stored, backed up, and regularly updated to reflect new developments.