ZERO TRUST HAND - INHAND WITH THIRDPARTY RISK MANAGEMENT

Next Article

Palo Alto Networks Palo Alto Networks

Third parties – a necessity for modern business –can make organisations vulnerable to data breaches and other security incidents. Enter zero trust

WRITTEN BY: MARCUS LAW

Working with third parties is a necessity for modern businesses. These relationships are critical to business success – delivering affordable, responsive and scalable solutions that can help organisations to grow and adapt according to the needs of their customers. But as reliance on third parties grows – according to Gartner, 60% of organisations now work with more than 1,000 third parties – so does the exposure to additional risk.

Third parties, such as vendors, partners, or service providers, often have access to an organisation's sensitive information, systems and networks. This access can make organisations vulnerable to data breaches, cyber attacks, and other security incidents, especially if the third party's security controls are insufficient or if the third party is targeted by cybercriminals.

Additionally, third parties may have their own vulnerabilities that could be exploited to gain access to an organisation's network. By identifying and managing third party risk, organisations can better protect themselves against cyber threats and ensure that their sensitive information and systems are secure.

A survey from the CyberRisk Alliance and SecurityScorecard found that over a third of respondents had at least 100 thirdparty vendors. Of those, 91% said they had experienced a related security incident.

To benefit from the rewards strong third-party relationships can offer, it’s vital for organisations to manage the risks. That is where a rigorous Third Party Risk Management (TPRM) programme comes in.

Today, businesses inherit the cyber-risk posture of not just their direct, third-party vendors, but also of their vendors’ vendors – often known as ‘Nth party’.

A report by The Ponemon Institute explains that while many businesses continue to outsource critical business processes to third parties, 63% of organisations don’t have visibility into the level of network access and permissions for internal or external users, and have a limited- to-no view of who or what has how much supervised/unsupervised access and why.

Meanwhile, according to research from PwC, 86% of business leaders said that complexity in their organisation was creating concerning levels of risk, with third-party cyber risks a glaring blind spot.

The importance of zero trust

Enter zero trust. By ensuring that all access to a network or system is verified and authenticated – regardless of whether the request is coming from inside or outside the network – implementing a zero-trust approach helps to prevent unauthorised access and reduces the risk of a data breach or other security incident caused by a third party. Additionally, zero trust can help organisations to more effectively monitor and manage their third-party vendors and partners, allowing them to better identify and mitigate risks.

Start Today

According to Third-Party Risk and Cybersecurity Program Management provider ProcessUnity, in the third-party risk management context, a zero-trust strategy generally involves ensuring that the organisation has comprehensive controls in place to limit vendor access to the minimum resources required to perform the job.

Zero trust can minimise vulnerabilities created by insufficient security practices of outside vendors, with continuous verification ensuring that compromised vendors are notified immediately, in near real-time.

“Increasingly, identity-centric Zero Trust frameworks will be the best choice for any security-conscious organisation,” says Marc Rogers, Senior Director Cybersecurity

Third-party risk

Though an organisation may have strong cybersecurity measures in place and a solid remediation plan, outside parties, such as third-party vendors, may not uphold the same standards. According to cybersecurity software company UpGuard, these third-party relationships can increase vulnerabilities by providing an easier way for potential threats to attack even the most sophisticated of security systems.

Strategy at Okta. “The principle of Zero Trust architecture is simple: all network traffic should be considered untrusted until validated. Using this ‘don’t trust, always verify’ approach is particularly helpful when managing remote and hybrid workforces, especially as the threat of ransomware continues to grow.

“We’ll increasingly see organisations switch to a Zero Trust approach in the coming years,