University-industry collaborations and other joint research ventures offer access to resources, expertise, funding, and other benefits for university researchers. However, through the use of unvetted software, password sharing, and other actions these external partnerships can expose the university and its intellectual assets to substantial cybersecurity threats, such as unauthorized access, data breaches, and other cyber attacks. Third-party risk Management (TPRM) is a cybersecurity process that allows educational institutions to defend their intellectual property (IP) and safely engage in external partnerships and research collaborations.
This article will explore several TPRM strategies universities can deploy to secure their third-party ecosystem and install comprehensive data protection controls into their cyber vendor risk management strategy.
Discover the world’s #1 TPRM solution: UpGuard Vendor Risk>
An Overview of Intellectual Property in Academia
Intellectual property is a critical component of almost every industry and includes any form of intangible assets derived from human thought. The most recognizable forms of IP are trademarks, patents, and copyrights.
In the education and research sectors, IP may include:
- Field and laboratory notebooks
- Inventions (including non-patentable ones)
- Designs (unregistered and registered)
- Scientific discoveries
- Literary, artistic, musical, or dramatic works
- Multimedia works
- Databases and computer material
- Other proprietary information
Who Owns University IP?
In the education sector, IP ownership is highly variable. Under most circumstances, an external researcher will retain ownership of their IP. However, university staff and students may be subjected to stricter IP policies if the university has an IP stake in their research. Exact ownership will depend upon the creator’s relationship with the university and the university’s IP policy.
Most universities provide an IP policy statement to students, professors, researchers, and partners during admission or hiring. These documents are delivered to guide all parties through the nuances of IP ownership and management.
An Overview of Third-Party Risk Management (TPRM)
TPRM is a critical pillar of cybersecurity that allows organizations of all sectors to defend themselves, their intellectual assets, and sensitive information against the third-party security threats associated with outsourcing tasks and operations to third-party vendors. These threats could lead to damaging breaches that could compromise an organization’s business continuity or data privacy.
Here is a quick refresher on the main phases of the third-party risk management process:
- Vendor intake: Collecting information from shortlisted and prospective vendors
- Risk Identification: Understanding vendor risks and conducting vendor due diligence
- Risk Assessment: Evaluating the potential impact and likelihood of third-party risks
- Risk Monitoring: Using continuous monitoring practices to track and identify risks in real-time
- Risk Mitigation: Reducing risks to an acceptable level, incident response when necessary
The UpGuard Cybersecurity and Risk Management Blog is home to several resources and articles on Third-Party Risk Management and TPRM programs. Our blog also covers adjacent topics like vendor risk management (VRM), information security, and supply chain risk management (SCRM). Reading these resources is the best way to develop a comprehensive understanding of TPRM and other essential cybersecurity concepts.
Using TPRM to Protect University IP
Educational institutions commonly partner with commercial businesses, external research agencies, and other universities to participate in research collaborations. These partnerships are invaluable opportunities for innovation and progress, but they expose each organization to the security risks of the other organizations involved.
TPRM helps universities protect their IP by securing their third-party ecosystem, installing security controls, identifying potential risks, and streamlining the risk mitigation process.
The main types of risks a third-party risk management program will identify are:
- Cybersecurity risk: The risk of an external collaborator exposing a university to a cyber attack, exploited vulnerability, or security incident.
- Operational risk: The risk of a third-party vendor causing disruptions or delaying institutional operations.
- Compliance risk: The risk of an external collaborator’s outstanding regulatory requirements or non-compliance impacting the university’s compliance with industry standards, frameworks, and laws.
- Reputational risk: The risk of a vendor’s negligence causing the university reputational damage.
- Financial risk: The risk of a third-party relationship negatively impacting the education institution’s finances.
Why Universities Should Invest in TPRM
TPRM provides universities with a robust defense against third-party risks, and there are many reasons why educational institutions should invest in TPRM. Here are the most influential impacts TPRM can have on an organization:
- Cost reduction: TPRM can help universities protect themselves against costly cyber attacks, data leaks, and data breaches that may stem from external research collaborations. The average cost of a data breach in 2023 was $4.45 million, significantly more than the annual cost of UpGuard’s TPRM solution.
- Risk reduction: Data leaks and other third-party risks can expose a university’s IP and sensitive research information. By performing robust due diligence, your organization can reduce its attack surface. This is a great way to manage the inherent risks associated with external research collaborations. Most comprehensive TPRM frameworks also involve continuous security monitoring, which will help your organization proactively tackle new risks throughout the entire span of a research collaboration.
- Compliance management: If your university or its research partners handle personally identifiable information (Pll) or sensitive data, you must comply with FERPA and possibly other regulatory requirements such as ISO, HIPAA, GDPR, or NIST CSF. TPRM is a critical requirement of many regulatory frameworks and can help with compliance management across all your organization’s external collaborations.
- Knowledge and confidence: Third-party risk management increases your expertise and visibility into the third-party vendors you work with and improves decision-making across all stages, from initial assessment to offboarding.
- Protecting IP: By increasing your organization's third-party visibility and knowledge of your collaborator’s security posture, your cybersecurity team can better predict risks and vulnerabilities. This visibility and expertise can improve decision-making, promote healthy business relationships, and protect vital IP.
How to Select a TPRM Solution
Third-party risk management has become one of the most popular pillars of cybersecurity in recent years. Therefore, many companies now offer TPRM solutions that promise educational institutions comprehensive support and protection. Organizations should be cautious, though, as not all TPRM solutions are created equal.
The best third-party risk management solutions, like UpGuard Vendor Risk, will possess the following tools and features:
- Security ratings
- Security questionnaires
- Vendor risk assessments
- Remediation & mitigation workflows
- Continuous monitoring
Security Ratings
Vendor security ratings allow universities to objectively measure the security posture of potential and existing external collaborators. Most security ratings rate an entity’s cyber hygiene using a proprietary scoring system. Parties with a low score have worse cyber hygiene than entities with a higher security rating. Universities and other educational institutions can use security ratings to evaluate an external collaborator’s cyber hygiene, conduct due diligence, and evaluate the cybersecurity risks it may inherit by forming a specific third-party relationship.
UpGuard’s data-driven security ratings represent a dynamic measurement of an organization’s security posture. The UpGuard scanning infrastructure monitors and collects billions of data points daily through trusted commercial, open-source, and proprietary methods.
Once completed, UpGuard ranks this data using a proprietary rating algorithm. This algorithm then produces a security rating out of 950 to measure an organization’s cyber hygiene. Organizations with greater risk exposure receive a lower rating.
Security Questionnaires
Security questionnaires are a set of technical questions a university’s risk personnel can use to identify potential weaknesses in a third-party partner’s cybersecurity program. Specific questionnaires commonly assess a vendor’s relationship with industry frameworks, compliance requirements, certifications, or known vulnerabilities.
UpGuard’s security questionnaire library allows educational institutions to accelerate their vendor assessment process. The library includes powerful and flexible pre-built questionnaires, allowing users to create custom questionnaires from scratch.
Vendor Risk Assessments
The cybersecurity teams of educational institutions use risk assessments to evaluate the security posture of external collaborators and corporate partners comprehensively. Risk assessments combine security ratings, security questionnaires, vulnerability scans, and other processes.
UpGuard’s vendor risk assessments eliminate the need for error-prone manual spreadsheets. By switching to UpGuard’s comprehensive risk assessments, educational institutions can save time, improve accuracy, and customize evaluations based on individual vendors.
Remediation & Mitigation Workflows
Remediation and mitigation workflows are defined activities a university’s security team can use to react quickly to known vulnerabilities and cyber threats. These workflows are typically included within an organization’s incident response policy and help improve business continuity.
UpGuard’s remediation and mitigation workflows enable organizations to simplify and accelerate their remediation requests. The platform enables users to use real-time data to provide context to vendors, track vendor progress, and stay informed when vendors fix reported issues.
With UpGuard’s simple and effective workflows, your organization can:
- Fix adversary-in-the-middle risks
- Find insecure SSL/TLS certificates
- Understand vendor email security
- Enforce HSTS
- Close unnecessary open ports
- Fix vulnerable software
- Prevent HTTP accessibility
- Configure secure cookies
Continuous Monitoring
Continuous security monitoring (CSM) is a threat intelligence approach that allows university’s to achieve 24/7 visibility over their institution’s attack surface. The strategy involves the automated monitoring of information security controls and vulnerabilities to support organizational risk management decisions.
UpGuard’s cybersecurity solutions include continuous security monitoring, allowing organizations to stay up-to-date on the following:
- News & Incidents: Stay on top of security trends and news related to your industry and your vendors, and filter incidents based on relevance or vendors affected
- Risk Profile: Understand your risk profile and drill down into individual risks across your third-party ecosystem
- Domains & IPs: View the domains and IPs that belong to your organization and their corresponding cyber risks
- Asset Portfolios: Organize your domains and IP addresses into separate lists by different use cases
How UpGuard Helps Universities Protect Their Intellectual Property
UpGuard offers educational institutions robust cybersecurity solutions. These solutions can help university risk personnel develop comprehensive third-party risk management programs, mitigate third-party risks, and protect valuable intellectual property.
Using UpGuard Vendor Risk, universities can protect their intellectual property by:
- Using UpGuard’s security ratings and vendor risk assessment features to evaluate the security posture of their existing research collaborations
- Using UpGuard’s automated security questionnaires to gain deeper insights into the security posture of external partners before onboarding them and sharing access to critical systems
- Using UpGuard’s continuous monitoring features to prevent data leaks by getting real-time updates on the risks and vulnerabilities present across their attack surface
- Using UpGuard’s reports library to communicate TPRM initiatives and strategies with key stakeholders, external partners, and corporate researchers