Third-party vendors are the weak links in cybersecurity
(Editor’s note: No business network is too small for cyber criminals to breach, then figure out how to leverage. In this guest essay, Matt Cullina, CEO of IDT911, which sponsors ThirdCertainty, discusses the wider implications.)
By Matt Cullina, Special to ThirdCertainty
The old adage says you are what you eat, and when it comes to vendor security you are your vendor. Any serious breach of a third-party vendor’s system is effectively a breach of your own, which is an agreed risk undertaken once you begin the outsourcing process.
As recent headlines have shown, even a small third-party breach can cause serious reputational and financial damage. Companies are consistently outsourcing and are committing more and more resources to the cloud, to payroll services, and to other vendors to streamline their businesses. In this new business climate, is it actually possible to truly cover your assets?
In order to answer this question, it is important to consider the nature and prominence of third-party breaches, as well as the causes and repercussions for the vendor and business. Although organizations know they should take their own cybersecurity seriously, they often overlook the cybersecurity of third parties. The convenience, cost-effectiveness and flexibility of outsourcing to third-parties comes with significant risks, meaning businesses and professionals must implement effective and encompassing compliance measures to safeguard both their own, and their customers’ data.
Free IDT911 white paper: Breach, Privacy, And Cyber Coverages: Fact And Fiction
An often overlooked, but integral element of that process is third-party risk management. A company’s cybersecurity is only ever as preventative as the cybersecurity of its third-party vendors. This can be equally problematic from an image perspective, as the perception of customers can mean everything to a business’s bottom line. If systems are breached, and data is put at risk, customers tend not to care whether the incident is the fault of the institution itself, or a third-party vendor. Reputational and financial damage ensues regardless and, ultimately, will impact revenue and profitability.
As companies of all sizes have become increasingly conscious of the extensive risks posed by cybersecurity breaches, they have begun to form comprehensive strategies and devote the necessary resources to identify, manage and eliminate internal vulnerabilities. In doing so, these businesses are attempting to mitigate their exposure to potential cybersecurity incidents.
Multipronged approach works best
Such businesses have found that they must address cybersecurity risk management from multiple angles. This includes investing in robust IT security systems, conducting employee training, considering the purchase of cybersecurity-related insurance policies, developing a data breach response plan, and so forth.
An obvious point, but one that often is overlooked, is the effective “vetting” of potential third-party organizations. This could fall under a full review or presentation process, or even be as simple as paying them a visit and asking for a tour of their offices and a full explanation of their operations. In effect, this is a kind of face-to-face audit, and will complement all written documentation and authorization you receive.
As far as additional compliance goes, the first process to put in place is that of ensuring that your business has a complete overview of exactly who has access to data, and which data is visible. These days most, if not all, organizations provide some kind of data or systems access to at least some third-party vendors, with such vendors including law firms, consultants, data storage providers, accountants or even the manager of an office building.
Get it in writing
Similarly, a well-designed contract is key, both for the relationship with third-party vendors, and in case of further litigation or legal issues further down the line. If it already has not done so, your organization should review existing vendor contracts with an eye toward mitigating cybersecurity risk. Within the contract, businesses are entitled to consider extending their own security standards to vendors, or to consider provisions requiring vendors to comply with specified security procedures.
Once a contract has been agreed upon, it is important to establish and develop guidelines for future agreements. Such guidelines should include standard provisions such as those described above, as well as an outline of the benefits of outsourcing measured against the associated risks.
Communication is key
From an internal point of view, it also is important to ensure all teams within a business are working together effectively, as well as maintaining regular contact, with third-party vendors. For example, IT needs to work closely with procurement with all functions that manage third parties to ensure that any perceived threats are unable to access critical corporate information assets.
The principal objective of all the above compliance is to prevent any cyber breach, as well as to limit the potential damage of any such incidents. The preparation and robustness of an organization’s procedures and practices with regard to third-party vendors will limit its liability in any subsequent litigation. To this end, regulators already have begun to place increased scrutiny on third-party relationships with specific regards to cybersecurity, and this looks set to continue. As the cyber threat increases, so, too, must the protection measures undertaken by companies.