CYBER SECUIRTY
Best practices for trusted thirdparty risk management By Miryam Meir
T
hird parties are a necessary part of your enterprise. They are your vendors, your suppliers, your contractors, and your partners. Without them, you can’t do business. Third parties provide cloud services, store sensitive data, and provide other important services. Unfortunately, third parties are also a major source of cyber risk. Cybercriminals often target third-party providers to target their clients’ data and networks, such as the notorious SolarWinds breach at the end of 2020. To move your business forward and propel growth, you need to be able to trust your third parties and their security posture. For this reason, Third-Party Risk Management (TPRM) is critical for every organization.
What is TPRM? Third-party risk management, or TPRM, is the process of vetting your vendors so that you can understand the risks they may pose to your organization and the supply chain itself. Organizations with strong vendor risk management programs systematically identify, assess, and mitigate threats to their assets and data that might be caused by the organization's supply chain. Most organizations do business with a number of third parties, and those third parties fill many roles. In fact, Gartner found that 60% of organizations work with over 1,000 third parties. Some are vendors, but others fall into
12 | Cyber Risk Leaders Magazine
different categories, such as partners, contractors, and consultants. Therefore, TPRM is an umbrella that covers VRM as well as other kinds of third-party risk management, such as: Supplier Risk Management, IT vendor risk, antibribery/anti-corruption (ABAC) compliance, and contract risk management, among others. Why is third-party risk management important? It’s never good news when third parties are involved in a data breach; Ponemon’s 2021 Cost of a Data Breach Report found that if a software vulnerability at a third party causes a data breach, the cost tends to increase by more than $90,000. That’s not great; most data breaches are already steep at an average of $4.24 million. Third-party breaches are becoming increasingly frequent, however. According to InfoSecurity Magazine, 44% of organizations were found to have experienced a security breach in the last year. Of those companies, 74% said that the breach occurred because too much privileged access had been given to third parties. That’s the problem, however — often third parties need access to your systems and data to be effective, but you don’t have the same control over your third parties as you do your own employees. You can’t require the employees or contractors of another company to adhere to your own standards — but if your customers’ data is exposed because of a third-party, that breach is still your responsibility. So how can you trust your third parties with your data?
