You are only as strong as your weakest link. No more does that statement ring true than in how companies approach their cybersecurity strategy. In the age of constant breaches and cyberattacks, most companies have bolstered their internal cybersecurity defenses but many are forgetting a key area that can leave them vulnerable – the third-party vendor loophole.
For many companies, using a third-party vendor is simply an afterthought. From payroll and healthcare services to analytics platforms and security products, everyone thinks of third-party vendors as integral functions of keeping their core business running. However, just because they are integral to keeping the flow of the company running, it doesn’t mean their networks are secure and their cybersecurity policies are equal to your company standards.
Data breaches via third-parties are a continued and growing problem for companies. According to a 2016 Data Risk in the Third-Party Ecosystem study by the Ponemon Institute, 49% of respondents confirmed their organization experienced a data breach caused by one of their vendors. Additionally, only 41% of respondents reported that their vendors’ data safeguards and security policies and procedures were sufficient to respond effectively to a data breach.
As evidenced, third-party breaches make up a large portion of breaches, yet they are often challenging to defend against because they are threats against a separate entity that companies have no control over. So, what can companies do?
First, companies must change the way they view cybersecurity. Companies must look at how information is protected across the entire business network – this means security must be accounted for by anyone who has access to the company network and data – including those who companies do business with, not just your internal employees. Because third-party vendors often have access to valuable company information, it is crucial to do research before bringing them into your network. Below are some tips to help companies better align themselves with third-party vendors and to stay better protected in the event of a breach.
1. Do Due Diligence
Just because a vendor is providing a needed service does not mean they place the same value, measures and protocols into protecting their networks.
- Ask for a comprehensive list of their security policies and disaster recovery plans in place. Review these and make sure they align with the company needs and security standards. Don’t forget to make a record and keep copies handy in case there is a breach, so the blame game can be avoided as much as possible.
- Ensure they regularly perform internal security audits, fix patches and software updates.
- Perform thorough background checks on employees with access to company data. Unfortunately, many breaches come from internal sources. When companies share sensitive information with providers to perform a service, they should go through the same vetting process as if they were an employee of your own company.
2. Document and Organize
When companies work with multiple vendors who have access to company information, it is important to stay organized and document who has access to what and how.
- Companies need to know and organize where their data sets live – what’s sensitive and what is not sensitive information.
- Create a map of which vendors have access to company data, what that data is and the security measures the vendor has in place to keep it protected. Keeping all of this organized in one place will help companies quickly respond in the event of a breach if all this information is detailed ahead of time.
- Place one person or department in charge of managing vendor security. Have a dedicated team working on vendor security and controlling who has access to what and how. This will help streamline the process.
3. Agree on Compliance & Data Breach Standards
It is important to agree on compliance standards before establishing a partnership with a third-party vendor.
- Use a s service-level agreement to specify the measures that protect the company data in the contract.
- Outline responsibility in the event of a breach. There are data breach lawyers who can help clarify these terms and offer advice to put in the contract that protects the company in a breach or loss stemming from a third-party weakness.
- Include an audit clause in the agreement. This helps verify through an independent party that the third-party vendor is following mandated regulations and proper security best practices and protocols.
There is no way around it – third-party breaches are going to happen and are even projected to grow in number. While the above list are tips to get started on building a better third-party vendor risk management program, it is critical companies take these security vulnerabilities seriously and focus on bolstering the security of the entire ecosystem, not just the internal one they control, so their network can better be prepared to handle threats.
No comments:
Post a Comment