To compete in a global marketplace, enterprises are outsourcing business processes and other services at an increasing rate. This trend has created the attack vector “du jour” for cyber criminals and experts estimate 50-plus percent of major breaches involve a third party. Complex supply chains amplify this cyber risk by creating a “weakest link” dependency.
As business leader’s digital ecosystem expands beyond the traditional boundaries of their organization, reducing risk from third parties has become top of mind. To help organizations address this issue, here are 10 tips to limit third-party cyber risk:
- Recognize that third parties are more than vendors. Start with vendors, but know that third parties also include suppliers, joint venture affiliates, subsidiaries and customers. The more mature programs understand that third parties consist of any organization that connects with the network, or with whom information is shared.
- Tier third parties based on risk, not total spend. Ask, to what extent does the organization share confidential information? What type of connections does it have with third parties? A company may spend more with a cafeteria group that provides food for its employees, than it does with the company it uses for back–end server maintenance. However, the server maintenance company is more important when it comes to sharing confidential information, regardless of spend.
- Ensure security is adequately considered in third party selection. Too often, potential providers require businesses or procurement groups to go through extensive vetting processes that are based on business needs or cost, and not security capabilities.This leads to frantic assessments to meet deal deadlines, or the choice to move forward despite having identified poor security practices because “we are already so far along.” Incorporating security requirements into the initial vetting process will significantly limit any negative outcomes later on.
- Regulatory compliance does not necessarily mean risk management. Keep in mind that regulations such as SOX, HIPAA and PCI DSS are minimum standards. Security can’t only be about meeting minimum regulatory standards. Events within the security world change constantly, and regulations take time to catch up.For example, most regulations today don’t specifically account for ransomware. Still, organizations need to be prepared to for ransomware attacks.
- Require ongoing maintenance of third parties. A once-a-year security review will not suffice in the current threat landscape. Today’s threat environment is constantly changing, creating new risks to the enterprise. Organizations need a dashboard in place to provides up-to-date risk analyses.
- Follow through on contractual commitments. This is a follow-on to the previous point about ongoing maintenance of third parties. It’s critical that companies follow up with their third parties to confirm that any changes required in the initial contract has been successfully corrected.If your company is working with a third party that has it written into its contract that it will check logs periodically or that all laptops will have encryption by default, it’s up to your company to ensure those obligations are met.
- Practice open communication. The days of an annual security analysis is history. Modern third-party cyber risk management (TPCRM) programs require continuous, open communication between the large enterprise and its partners. A TPCRM program should be mutually beneficial, where both party is genuinely interested in the other’s progress. Any risk management program that seems like an edict from on high will fail. Security programs and TPCRM requires true collaboration in order to succeed.
- Educate your team. Make sure the business leaders in your organization, including the Board of Directors understands the inherent risk that exists from third party relationships. Use that knowledge to guide larger conversations about informed risk assumption, and why the perception of security as a blocker to business is antiquated and potentially, very harmful. All business decisions need to be made with a comprehensive understanding of the risks involved.
- Be prepared to answer the important question. At some point, your Board of Directors will ask the question, “Which of our third parties poses the greatest risk to our organization, based on today’s threat landscape?” To answer this question, you need a comprehensive dashboard view of your entire digital ecosystem, including all its assessments. From there, you can map threat intelligence to weaknesses in third party controls, and perform advanced analytics on the data. Knowing that your board will most likely want that information at some point, it’s in your best interest to proactively build a dashboard that allows you to answer their question.
- Streamline your response process to assessment requests. Since there’s no standardized cyber risk assessment available today, organizations are forced to complete unique risk assessments for each individual company that they’re interested in working with. This creates a very manual, labor-intensive process.To reduce the number of individual assessments that you have to complete, look for standard assessments that multiple organizations will accept, or participate in an exchange that allows your company to share updated security information on an ongoing basis.