10 Ways Enterprises Can Limit Third-Party Cyber-Risk

1 of 12

10 Ways Enterprises Can Limit Third-Party Cyber-Risk

To compete in a global marketplace, enterprises increasingly are moving their business processes and other services to the cloud and outside suppliers. This trend has created many more attack surfaces for cyber-criminals. According to industry analysts, nearly two-thirds of major breaches involve a third party. Complex supply chains amplify this cyber-risk. As enterprise digital ecosystems expand beyond the traditional boundaries of their organizations, reducing risk from third parties becomes a high priority. What are the key steps enterprises of any size should take to reduce its risk from third-party data breaches? In this eWEEK slide show, primary industry information comes from CyberGRX CEO Fred Kneip, a former head of compliance and security at Bridgewater Associates and principal at McKinsey & Co., whose company makes a risk-management platform.

2 of 12

Recognize That Third Parties Include More Than Vendors

Start with vendors, but know that third parties also include suppliers, joint venture affiliates, subsidiaries and customers. Third parties are any organizations that connect with the network or with whom information is shared.

3 of 12

Evaluate Third Parties Based on Risk, Not Total Spend

Determine the extent to which your organization shares confidential information. What type of connections does it have with third parties? A company may spend more with its cafeteria supplier than its back-end server maintenance company, but the server maintenance company deals with more confidential information, so it can pose a greater risk.

4 of 12

Consider Security in Third-Party Selection

Too often, security is left out of the vetting process of potential providers. This can lead to last-minute assessments to meet deal deadlines or using providers with poor security practices because "we are already so far along." Incorporating security requirements into the initial vetting process will limit any negative outcomes later.

5 of 12

Regulatory Compliance Does Not Mean Risk Management

Security can't only be about meeting minimum regulatory standards. Events within the security world change constantly, and regulations take time to catch up. For example, most regulations today don't account for ransomware, yet organizations need to be prepared to for ransomware attacks.

6 of 12

Require Ongoing Maintenance of Third Parties

A once-a-year security review will not suffice in the current threat landscape, which is constantly changing and creating new risks to the enterprise. Organizations need a dashboard in place to provides up-to-date risk analyses.

7 of 12

Follow Through on Contractual Commitments

It's critical that companies follow up with their third parties to confirm any changes required in the contract have been corrected. If your third party is contracted to check logs periodically or have encryption by default on all laptops, it's up to you to ensure those obligations are met.

8 of 12

Practice Open Communication

Modern third-party cyber-risk management (TPCRM) programs require continuous, open communication between the large enterprise and its partners. A TPCRM program should be mutually beneficial, with each party involved in the other's progress. Successful security programs and TPCRM require true collaboration.

9 of 12

Educate Your Team

Make sure the business leaders in your organization, including the board of directors, understand the risks of third-party relationships. Have larger conversations about informed risk assumption and the need to remove the perception of security as a blocker to business. All business decisions must be made with a comprehensive understanding of the risks involved.

10 of 12

Be Prepared to Answer the Important Question

At some point, your board of directors will ask which of your third parties pose the greatest risk to your organization, based on today's threat landscape. To answer this question, you need a dashboard view of your entire digital ecosystem, including all its assessments, to map threat intelligence.

11 of 12

Streamline Your Response Process to Assessment Requests

Since no standardized cyber-risk assessment exists currently, companies must complete risk assessments for each of its third-party providers. To reduce the number of individual assessments that you have to complete, try to develop a assessment process that works for your own organization that multiple third-parties will accept to enable your company to share updated security information continuously.

12 of 12

More Software Vulnerabilities Disclosed in 2016 Than Ever Before

The total number of disclosed vulnerabilities set a new record in 2016, according to a report released Feb. 6 by Risk Based Security. The 2016 Year End Vulnerability QuickView Report provides insight from Risk Based Security's VulnDB vulnerability intelligence platform. According to the report, there were 15,000 vulnerabilities reported by VulnDB in 2016, setting a new all-time record. Not only is the number of vulnerabilities increasing but so too is the severity of the reported flaws. The Common Vulnerabilities Scoring System (CVSS) is an industry standard for measuring the risk severity of a security flaws, with a higher number implying a higher impact. For 2016, 21.3 percent of reported vulnerabilities received CVSS scores between 9.0 and 10.0. Vulnerabilities are reported in a variety of ways, though in 2016, more flaws were reported through bug bounty programs, than by vendors working...
Top White Papers and Webcasts