Increasingly, we read about companies whose data is stolen due to a breach by other companies with which they collaborate, and who may own part of the business of the company that is cyber-attacked. This is an issue that is on the rise as more and more operations are outsourced for various aspects of the business. The fact is that customers and consumers care little how a theft occurred or what was involved: the only thing that remains in mind is that their data is, potentially, in danger.
In today’s interconnected economy, companies rely on third parties. It is increasingly common to outsource large parts of the business to dedicated providers who specialise in this or that function, be it a SaaS provider or a contractor.
These third parties are typically not under the direct control of the organisation and are unlikely to provide full transparency on their information security controls. Some providers may have robust security standards and good risk management practices, while others do not. This is why third party and supplier risk management is an important part of any organization’s enterprise risk management strategy.
In a recent Security Magazine study, researchers found that “63% of data breaches are linked to a third-party vendor that was responsible for supporting, developing and/or maintaining the system. In some cases, the victim companies did not even know that a third party was managing certain security functions. This last point highlights one of the critical first steps in protecting your business from third-party data breaches: making sure you know what is in whose hands. While you may be familiar with the vendors you’ve chosen yourself, many IT companies rely on suppliers and subcontractors to perform functions they don’t have the resources or capabilities to perform themselves.
A simple way to assess a potential supplier without introducing an operational overhead for the management team is to use security ratings. Safety ratings are adopted because they complement and can sometimes replace time-consuming risk assessment techniques such as questionnaires, site visits and penetration tests.
Security ratings allow an immediate understanding of a potential supplier’s external security posture and what cyber threats it may be susceptible to. This greatly reduces the operational burden during vendor selection, due diligence, onboarding, and monitoring. In addition, reports can be shared with suppliers and used to resolve any issues.
Risk management in contracts
Forward-looking companies therefore act to include security assessments in their contracts. For example, some stipulate that a vendor processing personal information or credit cards must maintain a security rating above 900, or risk having their contract terminated.
The advice is also to incorporate SLAs into contracts so that they can guide the cybersecurity risk management behaviour of the providers themselves. The GDPR in Europe has given a big boost to the timing of reporting a data breach, reducing the maximum time the victim must notify all interested parties, such as stakeholders, customers and users, that information has been stolen.
But before you can properly determine the risk introduced by third-party providers, you need to understand who all the third parties are and how much is shared with each. Without an inventory of relationships, it is impossible to measure the level of risk introduced. Despite this, according to PWC research only 46 per cent of organizations carry out cybersecurity risk assessments on vendors handling sensitive data. As simple as it may sound, it is not always easy to know all the suppliers your organization uses. Especially if you work in a large company.
Talking about risk
According to the Ponemon Insitute’s Data Risk in the Third-Party Ecosystem report, 53 per cent of respondents within high-performing organzations said they were aware of the risk associated with third-party vendor activities, compared to just 25 per cent of respondents among societies that had experienced a data breach. This finding supports the theory that the leadership of high performing organizations is aware of the importance of protecting confidential information, as well as adopting increasingly stringent privacy practices driven by international laws.
In the long term, it is the operational apps that will become the most strategic to the business, and only then will you be able to continue to work securely from anywhere, both personally and operationally, as the pandemic has taught us.