Posted on Jul 15, 2019
Can you afford a data breach by a third party vendor? Chances are, you can’t. Third party breaches cost more than in-house breaches, to the tune of $13 more per compromised record, according to Ponemon’s 2018 Cost of a Data Breach report.
Unfortunately, third party breaches are on the rise. Cybercriminals are actively targeting third party vendors, knowing that there’s an increased chance of a breach where third parties are concerned. In 2018, bad actors started to focus on third party vendors. Rather than targeting one company, cybercriminals target vendors who work with many organizations – like cloud services, email servers and payment platforms — hoping to steal data from several companies.
Third parties aren’t your employees — they are your vendors, suppliers and partners. They’re often not on-site, and you can’t force compliance the way you can with employees.
Perhaps this perceived helplessness when it comes to vendor infosecurity is the reason so many organizations aren’t prepared for a third party data breach. According to Protoviti’s 2019 Vendor Risk Management Benchmark Study, just 40 percent of organizations have a fully mature vendor risk management process in place. A third of the respondents to that study reported no risk management program at all, or an ad hoc risk management process.
That doesn’t mean you’re completely at the mercy of your vendors. You can’t eliminate third-party risk entirely, but there are things you can do to limit supply chain risk.
Before you can determine risk, you need to understand who all your third parties are — and how much is being shared with each.
As simple as it sounds, it’s not always easy to know who’s in your organization’s extended ecosystem. While some large vendors — like cloud providers — may be well-known third parties, some departments may be working with their own third parties, and may not have shared their vendor list with other departments.
Once you know who your vendors are, it’s important to know what data and networks they’re able to access. Do they need the level of access they have? If not, it’s time to set some limits.
According to findings from both Ponemon and Protiviti, the highest-performing organizations (those organizations who have been able to avoid a breach in the last year, or those with mature risk management programs) have engaged leadership.
According to Ponemon’s Data Risk in the Third-Party Ecosystem report, 53 percent of high-performing organizations have board- and executive-level engagement. Among organizations that have experienced a breach, just 25 percent have leadership engagement.
This engagement means that the leadership at the highest performers are aware of the dangers of third party data breaches, and are allocating resources to prevent such a breach, demanding evaluation of vendors’ cybersecurity practices, and are willing to regularly review third-party management policies.
If your third parties’ infosecurity and privacy practices aren’t up to your standards, or if they’ve suffered a breach, is your organization willing to exit a risky relationship? And if you are willing to cut ties with a vendor, how easy is it to actually do so?
“In my experience, many organizations have solid onboarding processes — it’s easy to add a vendor. But they struggle with how to offboard vendors,” said Paul Kooney, Protiviti’s managing director, in a podcast.
High performing organizations are more willing than ever to walk away from relationships that pose a cybersecurity risk, and they have the structures and processes in place to cut ties, protecting their data and networks.
As important as it is to know who your third parties are, it’s also to know who is in your third parties’ extended enterprise. Once you’ve created an inventory of your third parties, it’s time to inventory their third parties.
Ponemon found that 45 percent of high-performing organizations are on top of their Nth parties, creating an inventory of third parties who have access to confidential information and noting which third parties are sharing their data with one or more of their contractors. High performers also contractually require vendors to notify them when data is shared with a fourth or fifth party. This allows them to track sensitive information, and better understand who has access to it.
Traditional static third party monitoring, like questionnaires, aren’t enough to protect your data and networks. For one thing, static monitor creates a snapshot of your third parties at a specific moment in time — perhaps all their software is patched now, but what about tomorrow? Questionnaires also create an administrative burden for your team.
Continuous cybersecurity monitoring is the best, most efficient, way to manage your third party relationships and ensure your data is consistently protected. SecurityScorecard’s Atlas is an intelligent tool that streamlines your vendor risk assessment process. Using our platform, your organization can easily upload vendor responses to questionnaires. Atlas’s machine learning compares their answers to previous questionnaires and the platform’s analytics, verifying responses almost immediately and alerting you to any issues immediately so you can take action and secure your cyber-assets.
Vendor management is the process an organization utilizes to assess and manage a third- or fourth-party vendor. Learn how SecurityScorecard can help.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You can’t manage what you can’t measure. Check out our list of the top 20 cybersecurity KPIs to track in 2021.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.