Top 5 strategies for managing third-party cybersecurity
What do Google’s software glitch, Facebook’s leak of user information and Target’s infamous data breach all have in common?
The Google software glitch gave outside developers access to user profile data. Facebook leaked user information to data firm Cambridge Analytica. Hackers stole credentials from a third party vendor and used them to access a Target customer database. In each instance and in a large percentage of data breaches, the root cause of the breach is traceable to a third party.
What’s the point of having an exceptional risk management program if the weakest link is your third parties? It doesn’t have to be this way. Read on for our top five strategies for shoring up your company’s third-party cybersecurity defenses.
Properly evaluate third parties
Does your company have a detailed process for evaluating third parties prior to signing contracts? The best way to prevent a third-party cyber incident is to ensure your third parties have robust cybersecurity programs. For ideas on vetting third parties, download our third-party risk e-book.
Assess and audit SLAs
SLA stands for service-level agreements. It’s the typical name given to third-party contracts that outline requirements and deliverables. Periodically assessing and auditing your third parties can help verify they are meeting the obligations set in the SLAs. The idea is also to address issues before incidents occur.
Ongoing monitoring and analysis
Third-party intelligence providers offer independent, unbiased inputs on the status of third parties. If a third party is hit by a cyberattack or anything negative in the public domain, third-party intelligence feeds will report back so you can determine if these put you at risk. Here’s our short list of firms operating in this space: BitSight, RapidRatings, RiskRecon and SecurityScorecard.
Importance of a data directive
A data breach caused by a third party can endanger customer privacy. Help protect your customers by working with your third parties to establish how your data is handled. Who owns the data and has access to it? How long will data be retained? What happens to data if you terminate your contract with them? Make sure you document data ownership and management in your third-party contracts.
Enlist the right tool
There are three types of toolsets for managing third-party cybersecurity—manual, point and integrated. Manual tools are typical business application software like spreadsheets. Point solutions are designed specifically for cybersecurity or third-party risk management. Integrated platforms not only help users manage cybersecurity, but also integrate third-party data across the organization. Our third-party risk e-book provides pros and cons for each tool.
That’s our five strategies for managing third-party cybersecurity. Your company can have the industry’s best cybersecurity program, but if your third parties have underperforming programs, you’re still vulnerable. Just look at Facebook, Google and Target. Follow these five strategies to help strengthen your third-party cyber defense programs.
Read about some of the highlights from our expert panel discussion.
“If it sounds too good to be true, it probably is.” That helps explain the attraction and danger with assessment exchanges for third-party risk management.
Here are five webinar highlights on NERC CIP-013-1’s impact that you can apply to your utility or vendor’s supply chain risk management program.