This post was originally published by Abi Tyas Tunggal.
The increasing number of third-party data breaches and the sensitive information they expose have negatively impacted consumer trust. Third-party breaches occur when sensitive data is stolen from a third-party vendor or when their systems are used to access and steal sensitive information stored on your systems.
In today’s interconnected economy, companies rely on third-parties. It’s increasingly common to outsource large parts of your business to dedicate vendors who specialize in that function, whether that be via a SaaS vendor, third-party service provider, or contractor.
These third parties aren’t typically under your organization’s control and its unlikely that they provide complete transparency into their information security controls. Some vendors can have robust security standards and good risk management practices, while others may not.
This means they each vendor, whether directly or indirectly, impacts your cybersecurity.
For example, a 2019 eSentire survey found that 44% of all firms surveyed had experienced a significant data breach caused by a third-party vendor. And the 2019 Cost of a Data Breach Report from Ponemon Institute and IBM found that third-party involvement was one of the five biggest cost amplifiers, increasing the average cost by more than $370,000 to $4.29 million.
1. Assess your vendors for before onboarding
Onboarding third-party vendors who will have access to your network and sensitive data without measuring the cybersecurity risk they introduce is risky. Yet, too many organizations fail to perform adequate due diligence during the vendor selection process.
An easy way to assess a potential vendor without introducing operational overhead for your vendor management team is to use security ratings. Security ratings have been widely adopted because they supplement and can sometimes replace time-consuming vendor risk assessment techniques like questionnaires, on-site visits, and penetration tests.
Security ratings let you instantly understand the external security posture of a potential vendor and what cyber threats they may be susceptible to. This greatly reduces the operational burden on TPRM teams during vendor selection, due diligence, onboarding, and monitoring. Additionally, the reports can be shared with vendors and used to remediation issues.
Because UpGuard measures externally verifiable controls, this pre-assessment can be done without requiring consent or work from a vendor. You can even benchmark and compare a vendor against their peers and others in their sector to help you make an informed decision about which vendor you should select.
The result is a more accurate, real-time picture of the risk the vendor will introduce to your supply chain, without having to spend time completing costly risk assessments, penetration tests, or vulnerability scans.
2. Incorporate risk management into your contracts
Make a practice of incorporating cyber risk into your vendor risk management program and vendor contracts. While this won’t prevent a third-party data breach, it means your vendors will be held accountable should their security posture weaken.
Many of our customers incorporate security ratings into their contracts. For example, some stipulate that a vendor who processes personal information or credit cards must maintain a security rating above 900, or risk having their contract terminated.
We also recommend incorporating SLAs into your contracts so you can steer the cybersecurity risk management behavior of your vendors. Consider adding language that requires your vendors to communicate or even remediate any security issues within a certain time frame, such as 72 hours for high-risk issues. Additionally, consider adding the right to request a completed security questionnaire once per quarter as they can highlight issues that are missed by external security scanning.
Read more here: www.upguard.com/blog/