110 Ways Enterprises Can Limit Third-Party Cyber-Risk
To compete in a global marketplace, enterprises increasingly are moving their business processes and other services to the cloud and outside suppliers. This trend has created many more attack surfaces for cyber-criminals. According to industry analysts, nearly two-thirds of major breaches involve a third party. Complex supply chains amplify this cyber-risk. As enterprise digital ecosystems expand beyond the traditional boundaries of their organizations, reducing risk from third parties becomes a high priority. What are the key steps enterprises of any size should take to reduce its risk from third-party data breaches? In this eWEEK slide show, primary industry information comes from CyberGRX CEO Fred Kneip, a former head of compliance and security at Bridgewater Associates and principal at McKinsey & Co., whose company makes a risk-management platform.
2Recognize That Third Parties Include More Than Vendors
3Evaluate Third Parties Based on Risk, Not Total Spend
Determine the extent to which your organization shares confidential information. What type of connections does it have with third parties? A company may spend more with its cafeteria supplier than its back-end server maintenance company, but the server maintenance company deals with more confidential information, so it can pose a greater risk.
4Consider Security in Third-Party Selection
Too often, security is left out of the vetting process of potential providers. This can lead to last-minute assessments to meet deal deadlines or using providers with poor security practices because “we are already so far along.” Incorporating security requirements into the initial vetting process will limit any negative outcomes later.
5Regulatory Compliance Does Not Mean Risk Management
6Require Ongoing Maintenance of Third Parties
7Follow Through on Contractual Commitments
8Practice Open Communication
Modern third-party cyber-risk management (TPCRM) programs require continuous, open communication between the large enterprise and its partners. A TPCRM program should be mutually beneficial, with each party involved in the other’s progress. Successful security programs and TPCRM require true collaboration.
9Educate Your Team
Make sure the business leaders in your organization, including the board of directors, understand the risks of third-party relationships. Have larger conversations about informed risk assumption and the need to remove the perception of security as a blocker to business. All business decisions must be made with a comprehensive understanding of the risks involved.
10Be Prepared to Answer the Important Question
11Streamline Your Response Process to Assessment Requests
Since no standardized cyber-risk assessment exists currently, companies must complete risk assessments for each of its third-party providers. To reduce the number of individual assessments that you have to complete, try to develop a assessment process that works for your own organization that multiple third-parties will accept to enable your company to share updated security information continuously.