There’s been a major trend in recent years where organizations seeking to cut costs and focus on core competencies outsource more to third parties. Cost-effective scalability for everything from data centers to global supply chains increasingly depends upon a complex network of external vendors, suppliers and service providers.
While many enterprises may have taken the cybersecurity of third parties for granted in the past, increasingly stringent regulations influenced by a string of high-profile data breaches and the General Data Protection Requirement (GDPR) are changing that.
It’s not enough to formulate and fortify your own cyber posture -- you must also consider the defenses of your external partners who also have access to your network.
Although there seems to be significant awareness of third-party risk, with 60% of respondents in a recent NTT Security report pointing to third parties as the weakest security link in their organizations, most companies simply aren’t doing enough to assess or mitigate that risk.
Third-Party Risk Is Very Real
Too many organizations have little or no insight into the security processes and systems of the third parties with whom they share sensitive data. Sometimes those third parties are, in turn, sharing data with suppliers or other external partners. Ignorance of third-party practices is no defense. Customers and regulators don’t make allowances when a third party is found to be responsible for a breach.
At least 56% of organizations suffered a breach caused by a third party in 2017, up 7% from 2016, according to the Ponemon Institute. The average cost of those breaches for U.S. companies -- after adding up fines, remediation and loss of customers -- was $7,350,000. With new regulations like the GDPR coming into effect, that potential cost is rising.
The National Institute of Standards and Technology (NIST) just released version 1.1 of its Cybersecurity Framework, designed to help companies craft strong and secure cyber postures. The update emphasizes supply chain risk, specifically pointing to third parties as potential weak links that need to be addressed -- a process that starts with in-depth assessment.
Proper Assessment Is Crucial
Completing thorough due diligence has never been more important. A full 80% of organizations engaging in mergers and acquisitions described cybersecurity issues as highly important to the due diligence process, according to a West Monroe report, and 77% agreed that the importance has increased significantly in the last two years. Worryingly, 40% of respondents said they have discovered a data security problem after an acquisition deal went through.
Unfortunately, most organizations don’t conduct due diligence investigations to anywhere near the same level of depth for third-party partners as they do for prospective acquisitions. If due diligence standards for M&A are too low, it’s safe to assume they’re not stringent enough for third parties. It’s vital to establish visibility into partners and learn precisely whom they do business with before you can make a proper assessment of risk.
Not only is granular risk assessment to provide a holistic view of your cybersecurity required, but it must also be continuous if you want to ensure compliance, not just today, but tomorrow as well.
Build A Framework
Instead of relying upon siloed investigations that provide a snapshot of your cyber posture, it’s better to formulate a clear framework that can be applied internally and externally. Considering GDPR compliance for the EMEA region, NTT Security recommends implementation of a formal vendor management program to “clearly and concisely communicate legal, regulatory, security and business objectives.”
Relying upon a disparate collection of security tools that span different platforms is a risky approach that’s prone to error. What’s really required is a fully configurable security posture that can grow and evolve with your business and accommodate new regulations. Think about how to integrate the latest best practices, remediate emerging vulnerabilities swiftly, and identify and assess issues proactively before they get a chance to develop into real problems.
As the specter of third-party risk looms ever larger, the ability to continuously monitor and automatically remediate is growing increasingly important. By establishing the right cybersecurity posture and ensuring that it is applied to your entire network of partners, you can effectively manage and mitigate third-party risk.
