10 Ways Enterprises Can Limit Third-Party Cyber-Risk

To compete in a global marketplace, enterprises increasingly are moving their business processes and other services to the cloud and outside suppliers. This trend has created many more attack surfaces for cyber-criminals. According to industry analysts, nearly two-thirds of major breaches involve a third party. Complex supply chains amplify this cyber-risk. As enterprise digital ecosystems expand beyond the traditional boundaries of their organizations, reducing risk from third parties becomes a high priority. What are the key steps enterprises of any size should take to reduce its risk from third-party data breaches? In this eWEEK slide show, primary industry information comes from CyberGRX CEO Fred Kneip, a former head of compliance and security at Bridgewater Associates and principal at McKinsey & Co., whose company makes a risk-management platform.

Start with vendors, but know that third parties also include suppliers, joint venture affiliates, subsidiaries and customers. Third parties are any organizations that connect with the network or with whom information is shared.

Determine the extent to which your organization shares confidential information. What type of connections does it have with third parties? A company may spend more with its cafeteria supplier than its back-end server maintenance company, but the server maintenance company deals with more confidential information, so it can pose a greater risk.

Too often, security is left out of the vetting process of potential providers. This can lead to last-minute assessments to meet deal deadlines or using providers with poor security practices because “we are already so far along.” Incorporating security requirements into the initial vetting process will limit any negative outcomes later.

Security can’t only be about meeting minimum regulatory standards. Events within the security world change constantly, and regulations take time to catch up. For example, most regulations today don’t account for ransomware, yet organizations need to be prepared to for ransomware attacks.

A once-a-year security review will not suffice in the current threat landscape, which is constantly changing and creating new risks to the enterprise. Organizations need a dashboard in place to provides up-to-date risk analyses.

It’s critical that companies follow up with their third parties to confirm any changes required in the contract have been corrected. If your third party is contracted to check logs periodically or have encryption by default on all laptops, it’s up to you to ensure those obligations are met.

Modern third-party cyber-risk management (TPCRM) programs require continuous, open communication between the large enterprise and its partners. A TPCRM program should be mutually beneficial, with each party involved in the other’s progress. Successful security programs and TPCRM require true collaboration.

Make sure the business leaders in your organization, including the board of directors, understand the risks of third-party relationships. Have larger conversations about informed risk assumption and the need to remove the perception of security as a blocker to business. All business decisions must be made with a comprehensive understanding of the risks involved.

At some point, your board of directors will ask which of your third parties pose the greatest risk to your organization, based on today’s threat landscape. To answer this question, you need a dashboard view of your entire digital ecosystem, including all its assessments, to map threat intelligence.

Since no standardized cyber-risk assessment exists currently, companies must complete risk assessments for each of its third-party providers. To reduce the number of individual assessments that you have to complete, try to develop a assessment process that works for your own organization that multiple third-parties will accept to enable your company to share updated security information continuously.