SMBs need to bulk up security to protect against third-party risk

New regulations, increased outsourcing, heightened breach environment boost awareness of vulnerabilities

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Third-par­ty risks—the notion that a con­trac­tor or a sup­pli­er could inad­ver­tent­ly expose the first-par­ty orga­ni­za­tion to a net­work breach—may not be the sex­i­est cyber­se­cu­ri­ty issue out there.

How­ev­er, at RSA 2017—the week­long cyber­se­cu­ri­ty con­fer­ence that drew 43,000 atten­dees to San Francisco’s Moscone Cen­ter last month—there was much talk that third-par­ty risks are des­tined to ascend as a bell­wether phenomenon.

Relat­ed arti­cle: Why com­pa­nies need to man­age third-par­ty risks

I mean that in this sense: Actu­al­ly address­ing third-par­ty risks is some­thing com­pa­nies of all sizes—from enter­prise-class first-par­ty orga­ni­za­tions to SMB-size third-par­ty suppliers—must come to grips with, prob­a­bly soon­er than lat­er. What’s more, as the jour­ney to mit­i­gate third-par­ty risk unfolds, trust­wor­thi­ness of inter­net-cen­tric com­merce nat­u­ral­ly will rise, per­haps dramatically.

New mar­ket emerges

One mark­er is that tech research firm Gart­ner has begun mon­i­tor­ing a dozen or so tech­nol­o­gy ven­dors mar­ket­ing third-par­ty risk solu­tions to large enter­pris­es. Gart­ner refers to this fledg­ling cot­tage indus­try as the “IT ven­dor risk man­age­ment” mar­ket. In a report last fall, Gart­ner pre­dict­ed that the IT VRM mar­ket would expand 30 per­cent by 2019.

The main growth dri­ver: reg­u­la­to­ry requirements.

Case in point, New York state’s fresh­ly mint­ed Cyber­se­cu­ri­ty Require­ments for Finan­cial Ser­vices Com­pa­nies, which took effect March 1, includes pro­vi­sions that require finan­cial ser­vices com­pa­nies to ensure the secu­ri­ty of the sys­tems used by their third-par­ty suppliers.

Relat­ed FAQ: What you should know about New York’s mile­stone cyber­se­cu­ri­ty rules.

Mean­while, Europe has begun to roll out a com­pre­hen­sive set of data-han­dling rules that also call out the need to address third-par­ty risk. These include the new frame­work for com­mer­cial data exchange between the Unit­ed States and the Euro­pean Union, referred to as the EU-U.S. Pri­va­cy Shield, as well as the new EU pri­va­cy rules known as Gen­er­al Data Pro­tec­tion Reg­u­la­tion or GDPR.

SMBs in hack­ers’ cross-hairs

To be clear, the bur­den does not sole­ly rest with large enter­pris­es to mit­i­gate third-par­ty risks. This issue pro­found­ly affects small and medi­um-size orga­ni­za­tions. SMBs no doubt will face increas­ing require­ments to prove their cyber­se­cu­ri­ty fit­ness in order to win con­tracts from first-par­ty busi­ness customers.

Jonathan Dambrot, Preva­lent CEO and co-founder

Third-par­ty sup­pli­ers, in fact, are believed to be the source of as much as 70 per­cent of the net­work breach­es that occur today, says Jonathan Dambrot, CEO and co-founder of Preva­lent, one of the lead­ing IT VRM ven­dors tracked by Gartner.

Third par­ty issues are dri­ven by the fact that out­sourc­ing trends are con­tin­u­ing unabat­ed,” Dambrot told me in an inter­view at RSA 2017.

Pro­fes­sion­al cyber crim­i­nals are ful­ly aware of capa­bil­i­ties of the mul­ti­mil­lion-dol­lar secu­ri­ty sys­tems large com­pa­nies have in place. So they wise­ly tar­get “the small provider who’s pro­vid­ing some ser­vice and who doesn’t have their secu­ri­ty con­trols,” Dambrot says.

Ven­dors lack knowledge

Mean­while, all too many third-par­ty sup­pli­ers con­tin­ue to oper­ate either igno­rant of, or in denial of, the expo­sures they’re cre­at­ing by fail­ing to adhere to secu­ri­ty best practices.

A lot of small­er firms are still strug­gling with even under­stand­ing what they need to do, from a poli­cies stand­point all the way down to the tech­ni­cal con­trols,” Dambrot says. “Do they have appro­pri­ate con­trols for encryp­tion, iden­ti­ty man­age­ment and mul­ti­fac­tor authentication?”

It’s very ear­ly in the ball­game. A Ponemon Insti­tute sur­vey con­duct­ed last May found that the major­i­ty of the 600-plus respon­dents agreed that third-par­ty risk was both seri­ous and has been sig­nif­i­cant­ly grow­ing in their organizations.

How­ev­er, Ponemon found that only a third of those orga­ni­za­tions had for­mal pro­grams in place to man­age third-par­ty risks, and only about a quar­ter of them pur­chased cyber insur­ance to reduce the eco­nom­ic impact of third-par­ty risks.

But the poten­tial for ele­vat­ing inter­net secu­ri­ty, in the longer run, is pal­pa­ble. Lis­ten to my con­ver­sa­tion with Dambrot on the accom­pa­ny­ing pod­cast for a fuller dis­cus­sion of that conclusion.

More sto­ries relat­ed to third-par­ty risks:
SMBs must under­stand and counter new dig­i­tal risks
Despite record breach­es, secure third-par­ty access still not an IT priority
Third-par­ty ven­dors are the weak links in cybersecurity