1. Understand your third-party networks
The first step is to understand what third-parties you use, across all aspects of your organisation. Undertaking an audit and developing a register that lists out every third-party vendor, what they offer and what data they have access to will give you a clear view of what risks you are facing. A good question to ask of each supplier is whether they provide support or hosting of services, or whether they have access (physical or virtual) to your company or your customers' data? If the answer is yes, this means you should definitely be assessing them from a security perspective.
You’ll also want a view on what suppliers your suppliers use – your fourth and fifth parties. For example, you may outsource your IT services to a business, who may in turn use a project management tool that is fed data on your company. Ideally, your partners should give you a clear picture of how and when access to your data and systems may be given to other businesses they work with, so you can stay on top of any potential risk.