The cyber threat landscape is changing and expanding with the cost benefits of outsourcing. As a result, attack surfaces frequently extend beyond the purview of the enterprise; third-party provider operating risks may be misunderstood or unacknowledged. In order to keep up with the dynamic threat landscape, businesses need to adapt as well.
However, a recent Ponemon study suggests that businesses are not preparing quickly enough for these threats, as just 17% of respondents felt their organizations effectively managed third-party cyber risk. Of concern, the same report revealed that 56% of companies surveyed had experienced a data breach caused by a third party.
Assessing the security of any third party within your digital ecosystem is essential because their vulnerabilities are your vulnerabilities. It only takes one vendor/supplier/client/third-party relationship with poor security practices to compromise the confidentiality, availability, or integrity of your most critical assets. The risks of unencumbered access by a third party carries potentially devastating consequences, which must be addressed to ensure business needs are met.
An effective cybersecurity strategy must include a robust vendor management program, which involves assessing the security postures of your third parties to ensure that at a minimum, they align with your own. Ideally, every organization that relies on third parties for business continuity would have them complete a security risk assessment to potentially reveal and address vulnerabilities prior to entering into contractual agreements. However, you can kick-start the process of evaluating the security of your connected network.
10 Questions You Should ask Every Vendor
- Do you use multi-factor authentication?
- What kinds of legacy defenses do you have in place, such as firewalls, anti-virus, and intrusion detection & prevention?
- What encryption standards do you require for both data in transit and data at rest?
- Has there ever been a significant cyber breach in the past?
- If so, what was the cause and are there recovery time objectives?
- What resilience measures are in place to prevent similar events from happening again?
- How do you vet new hires? Upon termination, what protocols are enacted to ensure access paths and credentials are revoked?
- Who and how many employees will have access to my data?
- What types of preventative and detective physical security controls are implemented at this location, such as barriers, alarms, cameras, and intrusion detection?
- To what extent is auditing performed on my account if changes are made?
View Third-Party Risk Management as a New Business Need
An effective or strong third-party cyber risk management program requires dedicated funding, resources, and a trained team. Businesses that lack one or all of these necessary areas can overcome these obstacles by partnering with a managed service provider to assist with the risk management process.
Visibility into your third-party relationships is essential to properly manage their risk, yet many businesses are failing to do so. More than half of surveyed companies from the Ponemon study do not maintain a comprehensive inventory of all connected parties with whom sensitive information is shared. A managed service provider capable of tailoring solutions to the specific needs of a business can help provide this visibility and determine the appropriate steps for what to do with third-party cyber risk – accept, transfer, or mitigate.
The days of securing your crown jewels by ensuring proper defensive measures are in place at your own business are no longer sufficient. Organizations must now also ensure that any business in their digital ecosystem implements sufficient security standards and processes to keep critical assets across the enterprise secure; not to mention potential regulatory requirements and penalties for non-conformance.
Budget, resources, and a skills/knowledge shortage are not viable excuses for the lack of an effective vendor risk management program, as managed service providers are capable of creating tailored solutions to your exact needs at a fraction of the cost of doing this yourself. Organizations can no longer afford to ignore third-party vendor and supply chain vulnerabilities if they wish to maintain business continuity and reputation.