As cyber threats continue to plague enterprises and the third-party partners and suppliers they work with, organizations that have prioritized the development of a robust third-party cyber risk management (TPCRM) program are experiencing success.
A comprehensive TPCRM strategy enables organizations to have the necessary visibility into their entire vendor ecosystem so that when a cyberattack occurs, they can mitigate risks rapidly and effectively.
Inheriting third parties’ vulnerabilities
A majority of an organization’s business operations rely on cloud services, which means third parties—from upstream suppliers to downstream retailers and IT support to maintenance service providers—have some level of access to your systems and sensitive data. And it is likely that the security postures of many of those vendors is unknown.
When you grant network access to a third-party partner, your organization automatically inherits their vulnerabilities. Attackers will look for the path of least resistance, and they often find this in third parties, which are involved in 63% of data breaches.
That’s why it’s more important than ever for companies to integrate third-party cybersecurity risk management (TPCRM) into their security strategies.
Bringing vendors into the security strategy
While some companies have already started considering the security implications outside their own enterprise architectures, not enough of them are.
A recent CyberRisk Alliance Business Intelligence survey found that 47% of organizations are working with external parties to increase coordination of incident response—but 48% said they’re leaving things as-is. For nearly half of the organizations surveyed, the vulnerabilities will remain the same. The likelihood of these organizations falling victim to a third-party security incident is quite high, compared to those who have implemented third-party risk management practices.
A centralized TPCRM program can mitigate the risk from third parties while delivering other benefits, including:
- Scaling with the company as it grows.
- Providing visibility into vendors’ cybersecurity controls, to understand how vendors will prevent, detect, or respond to attacks.
- Allowing the organization to create clear risk management strategies built on visibility into its entire cloud ecosystem (including third parties).
- Freeing up in-house IT staff to work on risk management rather than spending their time on routine data collection.
Third parties will benefit, too, since a TPCRM program will reduce redundancy in its own response efforts, while adding scalability and taking routine tasks away from their staff.
TPCRM in action
What features should an organization look for when planning to implement TPCRM?
A full inventory. An organization needs to be aware of all its third parties, not just major vendors, as well as vendors that may have been engaged via shadow IT. It must account for all people and resources that have access.
Collect and analyze the right data. Identify and assess the data that’s most pertinent to your company and its ecosystem to gain complete visibility into the security postures of your vendors.
Assess the real risks. Make use of analytics tools and scoring capabilities to understand the risks posed by third parties, focusing not so much on the size of a vendor’s contract but on their access and impact on data, networks, applications, and devices.
Prioritize risks. Identify the critical, high, medium, and low priority risks posed by vendors and act, addressing risks for the highest priority third parties and scheduling regular assessments for the others.
Work together. Third-party risk exchanges and other dynamic delivery models can bring together not just your organization and a vendor, but other organizations that vendor works with, enabling collaboration that can improve security for everyone.
Make it continuous. Consistent assessments making use of analytics tools are necessary for optimizing your security posture with results that can be regularly reported to executive leadership.
Third-party risks to your network and enterprise are real— as recent high-profile cyberattacks demonstrate—and third parties are typically the weakest link in your organizations’ defense. However, as we’ve witnessed with AmeriGas, an effective third-party cyber risk management program will provide the necessary visibility for enterprises to identify vulnerabilities within partners and suppliers, so that any risks can be effectively and quickly mitigated.
Shoring up third-party security can’t be done piecemeal; there are just too many accounts, devices, and applications to keep track of individually. A comprehensive approach that leverages automation, analytics and visibility into vendor risks is the most effective way to secure third-party relationships in a cloud environment that is only going to expand.