Third-party risk refers to the potential security risks to an organization stemming from the use of third-party vendors, including those vendors in the supply chain as well as groups that may not typically perform security investigations such as law firms, building infrastructure maintenance and services, accounting firms, or even catering. Third-party risk is also posed by business partners and subsidiaries as well as the vendors that they work with.
While these third parties may be outside of the typical security and IT purview for an organization, they frequently have digital access or connectivity to an organization’s resources that are vulnerable to attack. Even in cases where the intended resource poses little risk, access to it can be used to establish a beachhead from which attackers can move laterally to discover more valuable assets (as happened in the Target breach). Third-party risk management involves continuously identifying, analyzing, and controlling all associated risks over the duration of the relationship.
Cybersecurity risk management is a component of IT risk management where a cybersecurity lens is placed on the IT infrastructure.