SMBs need to bulk up security to protect against third-party risk
New regulations, increased outsourcing, heightened breach environment boost awareness of vulnerabilities
By Byron Acohido, ThirdCertainty
Third-party risks—the notion that a contractor or a supplier could inadvertently expose the first-party organization to a network breach—may not be the sexiest cybersecurity issue out there.
However, at RSA 2017—the weeklong cybersecurity conference that drew 43,000 attendees to San Francisco’s Moscone Center last month—there was much talk that third-party risks are destined to ascend as a bellwether phenomenon.
Related article: Why companies need to manage third-party risks
I mean that in this sense: Actually addressing third-party risks is something companies of all sizes—from enterprise-class first-party organizations to SMB-size third-party suppliers—must come to grips with, probably sooner than later. What’s more, as the journey to mitigate third-party risk unfolds, trustworthiness of internet-centric commerce naturally will rise, perhaps dramatically.
New market emerges
One marker is that tech research firm Gartner has begun monitoring a dozen or so technology vendors marketing third-party risk solutions to large enterprises. Gartner refers to this fledgling cottage industry as the “IT vendor risk management” market. In a report last fall, Gartner predicted that the IT VRM market would expand 30 percent by 2019.
The main growth driver: regulatory requirements.
Case in point, New York state’s freshly minted Cybersecurity Requirements for Financial Services Companies, which took effect March 1, includes provisions that require financial services companies to ensure the security of the systems used by their third-party suppliers.
Meanwhile, Europe has begun to roll out a comprehensive set of data-handling rules that also call out the need to address third-party risk. These include the new framework for commercial data exchange between the United States and the European Union, referred to as the EU-U.S. Privacy Shield, as well as the new EU privacy rules known as General Data Protection Regulation or GDPR.
SMBs in hackers’ cross-hairs
To be clear, the burden does not solely rest with large enterprises to mitigate third-party risks. This issue profoundly affects small and medium-size organizations. SMBs no doubt will face increasing requirements to prove their cybersecurity fitness in order to win contracts from first-party business customers.
Third-party suppliers, in fact, are believed to be the source of as much as 70 percent of the network breaches that occur today, says Jonathan Dambrot, CEO and co-founder of Prevalent, one of the leading IT VRM vendors tracked by Gartner.
“Third party issues are driven by the fact that outsourcing trends are continuing unabated,” Dambrot told me in an interview at RSA 2017.
Professional cyber criminals are fully aware of capabilities of the multimillion-dollar security systems large companies have in place. So they wisely target “the small provider who’s providing some service and who doesn’t have their security controls,” Dambrot says.
Vendors lack knowledge
Meanwhile, all too many third-party suppliers continue to operate either ignorant of, or in denial of, the exposures they’re creating by failing to adhere to security best practices.
“A lot of smaller firms are still struggling with even understanding what they need to do, from a policies standpoint all the way down to the technical controls,” Dambrot says. “Do they have appropriate controls for encryption, identity management and multifactor authentication?”
It’s very early in the ballgame. A Ponemon Institute survey conducted last May found that the majority of the 600-plus respondents agreed that third-party risk was both serious and has been significantly growing in their organizations.
However, Ponemon found that only a third of those organizations had formal programs in place to manage third-party risks, and only about a quarter of them purchased cyber insurance to reduce the economic impact of third-party risks.
But the potential for elevating internet security, in the longer run, is palpable. Listen to my conversation with Dambrot on the accompanying podcast for a fuller discussion of that conclusion.
More stories related to third-party risks:
SMBs must understand and counter new digital risks
Despite record breaches, secure third-party access still not an IT priority
Third-party vendors are the weak links in cybersecurity