October! A month marked by fall foliage, pumpkin spice everything, and National Cybersecurity Awareness Month (NCSAM) — a joint effort between government and industry to raise awareness about the importance of cybersecurity. This year’s NCSAM theme of “Own IT. Secure IT. Protect IT.” is a powerful call to action for ownership and accountability. However, many heeding this call won’t think about how it also extends to the vast and growing network of third-party relationships. Why? For most organizations, third parties complicate cybersecurity risk management.
Third-party risk seems like an imbalanced equation. Companies have limited or no control over how third parties secure their technology infrastructure, their applications, or their data; however, these same companies are fully responsible for cybersecurity incidents that occur as a result of those relationships. As a result, companies are on the hook financially for regulatory fines, penalties, or revenue loss and risk their own reputation when events lead to negative publicity or operational disruption.
As you look to mature and scale third-party risk management efforts, don’t limit security awareness and training to internal staff. When considering third-party risk programs, make sure you:
- Create and maintain a central repository for third-party relationships. You can’t manage what you can’t measure and won’t be able to thouroughly assess the risk of each relationship if you don’t know how many third parties you have or who those third parties are. More than half of all organizations don’t keep an active catalog of third parties.[i]
- Think beyond outdated nomenclature that limits your scope and creates blind spots. Third parties go by many names: vendor, supplier, IT service provider, affiliate, associate, consultant, etc. Don’t limit cybersecurity assessment to software vendors alone. With digital transformation and the internet of things, almost every single third-party relationship involves storing, processing, or transmitting sensitive data. Think of every relationship as a link along the value chain, including your HVAC repair technician.
- Take cybersecurity precautions at the end of the relationship. For many organizations, one critical step is missing from their third-party cybersecurity process. Very often, they overlook or forget to terminate the third parties’ access to critical systems when a contract is completed. The offboarding process is essential for mitigating downstream risks. Create a process whereby the owner of the third-party relationship notifies the proper channels before announcing contract termination; this way, security can monitor for irregular access — in case the third party wants to take any souvenirs at your expense — and ensure that access has been terminated at the end of the contractual period.
Want to know more? Learn about third-party risk management technologies in the new “The Forrester Tech Tide™: Governance, Risk, And Compliance Management, Q4 2019.” Get more information on my upcoming research and coverage area; follow me on Twitter at @AllaValente or on LinkedIn.
[i] Source: “Data Risk in the Third-Party Ecosystem,” Ponemon Institute, September 2017 (https://insidecybersecurity.com/sites/insidecybersecurity.com/files/documents/sep2017/cs2017_0340.pdf)