October! A month marked by fall foliage, pumpkin spice everything, and National Cybersecurity Awareness Month (NCSAM) – a joint effort between government and industry to raise awareness about the importance of cybersecurity. This year's NCSAM theme of "Own IT. Secure IT. Protect IT." is a powerful call to action for ownership and accountability. However, many heeding this call won't think about how it also extends to the vast and growing network of third-party relationships. Why? For most organizations, third-parties complicate cybersecurity risk management.
The third-party risk seems like an imbalanced equation. Companies have limited or no control over how third-parties secure their technology infrastructure, their applications, or their data; however, these same companies are fully responsible for cybersecurity incidents that occur as a result of those relationships. As a result, companies are on the hook financially for regulatory fines, penalties, or revenue loss, and risk their own reputation when events lead to negative publicity or operational disruption.
As you look to mature and scale third-party risk management efforts, don't limit security awareness and training to internal staff. When considering third-party risk programs, make sure you:
- Create and maintain a central repository for third-party relationships. You can't manage what you can't measure and won't be able to thoroughly assess the risk of each relationship if you don't know how many third-parties you have or who those third-parties are. More than half of all organizations don't keep an active catalog of third-parties.1
- Think beyond outdated nomenclature that limits your scope and creates blind spots. Third-parties go by many names: vendor, supplier, IT service provider, affiliate, associate, consultant, etc. Don't limit cybersecurity assessment to software vendors alone. With digital transformation and IoT, almost every single third-party relationship involves storing, processing, or transmitting sensitive data. Think of every relationship as a link along the value chain, including your HVAC repair technician.
- Take cybersecurity precautions at the end of the relationship. For many organizations, one critical step is missing from their third-party cybersecurity process. Very often, they overlook or forget to terminate the third-parties access to critical systems when a contract is completed. The offboarding process is essential for mitigating downstream risks. Create a process whereby the owner of the third-party relationship notifies the proper channels before announcing contract termination, this way, security can monitor for irregular access -- in case the third-party wants to take any souvenirs at your expense — and ensure access has been terminated at the end of the contractual period.
This post was written by Analyst Alla Valente, and originally appeared here.