The economy is made up of many different businesses working together to create a stable flow of goods and services. Even the smallest businesses are bound to have a handful of third parties they collaborate with. This includes vendors shipping raw supplies, contractors providing on-site services, and cloud platforms hosting valuable data on behalf of the business. 

Involving third parties in your business operations can open several severe vulnerabilities in your digital infrastructure. You can implement every security control you can find to protect your on-site assets, but you cannot fully control the security posture of the third parties accessing your assets. While you may trust a third party on a personal level, they could still have poor cybersecurity hygiene on their internal systems, meaning that any of your company data accessed by them inherits the risks posed by them. 

Threat actors recognize this and are taking advantage of vulnerabilities posed by third-party trusts at a rapidly growing pace. Supply chain attacks can infect thousands of individual businesses by compromising vendors at a high level. Cross-platform attacks involving pivots from on-premises assets to insecure cloud resources are also growing. These attacks can compromise your business without you ever noticing, making third-party vulnerabilities even more frightening. 

Luckily, you can reduce these risks by implementing a variety of controls to secure your trust relationships. However, before you can start planning and implementing them, you need to start by identifying all of the third parties currently associated with your business. This includes vendors, contractors, IT service providers, and any other entity that has a level of access to your internal business environment. Like previous inventories, you can look into procuring and implementing a professional piece of software to manage this inventory. However, for smaller businesses with a small budget for security, a spreadsheet template is provided below for free. 

The following attributes should be recorded and input into the inventory for each third-party relationship currently in place in your organization: 

  • Service Provider name 
  • Service Provider category 
  • Primary Point of Contact
  • Primary Email Address
  • Primary Phone Number
  • Associated Business Unit
  • Description of provided service(s)
  • Contract start date
  • Contract expiration date
  • Date of last contract/service review 
  • Date of most recent activity