Third Party Cyber Security Risks
A third-party vendor is any outside or external entity that an organization does business with. This includes suppliers, manufacturers, service providers, business partners, affiliates, brokers, distributors, resellers and agents. From an IT perspective, they often fall under the service provider or affiliate areas. Organizations often have to share data or an IT service of some sort with one another. This often results in access, sometimes elevated access, being granted to the third party company. A report on “Security Risks of Third-Party Vendor Relationships” published by RiskManagementMonitor.com includes an infographic estimating that 60% of data breaches involve a third party. When pondering why this is the case, I settle on the reality that many organizations don’t actually vet the IT security practices of firms they get involved with. At most, they may ask whether the firm has an insurance policy that covers Cybersecurity losses and insist the policy payout a certain amount per incident, usually at least 1 million dollars. The same report by RiskManagementMonitor.com also found that only 52% of companies have security standards in place regarding third-party vendors and contractors.
Because of the many cybersecurity risks floating around today, companies should begin to sure up this major cybersecurity hole in many programs. This can be done by developing an IT security questionnaire which can be answered by any third-party vendor they will be involved with. When the answers are reviewed, Cybersecurity departments should look for areas of weakness, report to leadership the potential risks identified by questionnaire responses, and if they want to move forward regardless, track the remediation of any risks identified.
A second action organizations can take is to require external verification of security practices outside of their responses to the questionnaire, by having them acquire an IT certification. There are several on the market today including HITRUST for HIPAA compliance, the Cyber Security Maturity Model for those who do business with the US Department of Defense, ISO 27001, and compliance to NIST standards which doesn’t include a certification, but a score based on the organization’s maturity level. Note that these efforts will be costly for the vendor to achieve which may narrow the number of vendors to those who can afford to do so.
Third parties can also refer to major applications and services that provide IT services like data hosting. There is an inherent assumption of secure IT practices by these services, and in many instances that is simply not the case.
