This post was originally published by Abi Tyas Tunggal.
The increasing number of third-party data breaches and the sensitive information they expose have negatively impacted consumer trust. Third-party breaches occur when sensitive data is stolen from a third-party vendor or when their systems are used to access and steal sensitive information stored on your systems. Ā Ā
In today’s interconnected economy, companies rely on third-parties. It’s increasingly common to outsource large parts of your business to dedicate vendors who specialize in that function, whether that be via a SaaS vendor, third-party service provider, or contractor.Ā
These third parties aren’t typically under your organization’s control and its unlikely that they provide complete transparency into their information security controls. Some vendors can have robust security standards and good risk management practices, while others may not.
This means they each vendor, whether directly or indirectly, impacts yourĀ cybersecurity.Ā
For example, a 2019Ā eSentire surveyĀ found that 44% of all firms surveyed had experienced a significant data breach caused by a third-party vendor. And theĀ 2019 Cost of a Data Breach ReportĀ from Ponemon Institute and IBM found that third-party involvement was one of the five biggest cost amplifiers, increasing the average cost by more than $370,000 to $4.29 million.Ā
This is whyĀ third-partyĀ riskĀ managementĀ andĀ vendorĀ risk managementĀ form an important part of any organization’s enterprise risk management strategy.
1. Assess your vendors for before onboarding
Onboarding third-party vendors who will have access to your network and sensitive data without measuring the cybersecurity risk they introduce is risky. Yet, too many organizations fail to perform adequate due diligence during the vendor selection process.Ā
An easy way to assess a potential vendor without introducing operational overhead for your vendor management team is to useĀ security ratings. Security ratings have been widely adopted because they supplement and can sometimes replace time-consuming vendor risk assessment techniques like questionnaires, on-site visits, andĀ penetration tests.Ā
Security ratings let you instantly understand the externalĀ security postureĀ of a potential vendor and whatĀ cyber threatsĀ they may be susceptible to. This greatly reduces the operational burden onĀ TPRMĀ teams during vendor selection, due diligence, onboarding, and monitoring. Additionally, the reports can be shared with vendors and used to remediation issues.
WithĀ UpGuard Vendor Risk, you can quickly assess website risks,Ā email security,Ā network security,Ā phishingĀ &Ā malwareĀ risk, and brand protection.Ā
BecauseĀ UpGuardĀ measures externally verifiable controls, this pre-assessment can be done without requiring consent or work from a vendor. You can even benchmark and compare a vendor against their peers and others in their sector to help you make an informed decision about which vendor you should select.
The result is a more accurate, real-time picture of the risk the vendor will introduceĀ to your supply chain, without having to spend time completing costly risk assessments, penetration tests, orĀ vulnerabilityĀ scans.Ā
2. Incorporate risk management into your contracts
Make a practice of incorporating cyber risk into yourĀ vendor risk managementĀ program and vendor contracts. While this won’t prevent a third-party data breach, it means your vendors will be held accountable should their security posture weaken.
Many of our customers incorporate security ratings into their contracts. For example, some stipulate that a vendor who processes personal information or credit cards must maintain a security rating above 900, or risk having their contract terminated.Ā
Ā
We also recommend incorporating SLAs into your contracts so you can steer theĀ cybersecurity risk management behavior of your vendors. Consider adding language that requires your vendors to communicate or even remediate any security issues within a certain time frame, such as 72 hours for high-risk issues. Additionally, consider adding the right to request a completed security questionnaire once per quarter as they can highlight issues that are missed by external security scanning.
Read more here: www.upguard.com/blog/
