Four Ideas to Address Increasing Third-Party Risk
Third-party vendor partnerships and security bear some unsettling similarities to when we confide in a friend, and that confidence is betrayed.
You confide something private and important to a friend. Your friend shares it with someone else without your permission. This third person shares the information with others and the chain of dissemination spirals. Suddenly, a private exchange between two parties has spread to a vast and unknown number of people without your knowledge.
Maybe the consequences to you are minimal. Or, perhaps, the effects are irrevocable.
Half of Reporting Entities Cite Third-Party Security Incidents
Reliance on third-party support is rising, increasing the risks to health and security. Statistics support the growing concerns over the vast and complex webs of support that stand to impact any organization seeking external services.
One study of nearly 4,000 respondents indicated that close to 70 percent have a moderate-to-high level of dependence on external entities. These third-party entities include their extensions to fourth and fifth parties. For those organizations that must report their dependencies on external resources, nearly 50 percent cite a third-party breach or security incident within the last three years.
Gartner cites recent studies, sharing that 60 percent of organizations now have over 1,000 third parties. No matter the number of third-parties your organization integrates or shares external sources with directly, your security doesn’t stop at their border but extends to their dependents, creating an intricate cybersecurity web.
Organizations Struggle to Manage Third-Parties and their Networks
Quest Diagnostics had nearly 12 million records exposed over eight months due to a hack that gained access via a third-party billing collections service.
Even the largest and, assumedly, most secure organizations are at risk through associations with third parties. Capital One, for example, uses a connection with Amazon Web Services. A former Amazon employee was able to create a program that scanned extended companies who also use the Amazon Web Service, resulting in a hacking spree, leading to security breaches at Capital One and 30 other companies.
The dangers associated with the expansion of third-party support create a variety of challenges to managing associated risks. But there are strategies an organization can take to mitigate those threats.
Mitigating & Managing Third-party Risk
Centralize Third-party Risk Management (TPRM)
Increased reliance on external partners equals sharing more data with more external entities and a higher volume of users. This increases the probability of data being mishandled or compromised exponentially.
Centralizing TPRM helps mitigate risks by creating a clearinghouse model that examines and approves third parties on behalf of the enterprise. Centralization is also useful because it provides standards and a singular perspective on risk that keeps adequate attention on cybersecurity priorities unique to each organization. Additionally, central oversight provides governance over where data is stored.
Concentrating the authority of TPRM helps identify which partners are riskiest and develop plans for addressing unique and high-priority partnerships. A centralized TPRM should set recertification requirements and establish priorities to ensure that higher-risk external partners recertify more frequently.
Establishing TPRM priorities requires flexibility and a proactive approach; however, the results are worth it — reduced costs, redundancies, duplications, and standards to guide risk and mitigation effort and investment.
Establish Contractual Requirements
Vital to staying ahead of untoward threats brought about by vendors, is to establish conditions that you require of third parties. These could cover functional expectations and limitations like limiting fourth, fifth, or sixth parties. Requirements could include the frequency of updates and recertifications, as well as other tailored criteria deemed viable to limiting risk to you, your executives, and customers.
Conduct Ongoing Security Assessments
Unfortunately, most third parties are only vetted when being onboarded or during recertification.
Gartner reports that 83 percent of surveyed legal and compliance leaders identified risks between onboarding and recertification. Another study shared that 62 percent of CEOs fail to hold extended enterprises to the same risk standards as their organization.
Having a limited assessment scope means that you never achieve a real-world view of third-party cybersecurity strengths or weaknesses. They put their best foot forward during onboarding and recertification while various types of continuous monitoring can provide more useful insights.
Balancing vendor relationships and compliance with more regular assessments can be challenging and takes rapport and savvy. Establish a transparent, respected chain of command for managing technical and operational components of the relationship. Consider implementing automated reports or management software to provide periodic, real-time cybersecurity check-ins.
Take Offboarding Seriously
Offboarding is often overlooked. When you change the nature of a vendor relationship or stop having a data-related connection with a third party, be sure to conduct a cybersecurity offboarding procedure. Ensure that you’ve restricted data access and completed a checklist of cybersecurity steps to disconnect any technology or data-sharing connections or APIs.
Perhaps the information gets to the wrong person or the information has been warped. Either way, the higher the number of people involved, the greater the risk to you.
Secure Partnerships Make Everyone Safer
Your organization is only as secure as your least stable external partner. Verifying your partners’ cybersecurity strengths and weaknesses are one of the most important ways to keep your company and customers protected.
Our team of seasoned cybersecurity professionals provides consulting to develop, oversee, and guide your third-party environment with lean, automation-driven strategies that successfully manage the expanding challenges and risks of third-party partnerships.