Organisations are still unaware of the risks that third parties pose, according to Forrester.
Speaking to TDP at the release of a new study into Third-Party Risk Management Platforms, Forrester analyst Alla Valente said third-party risk remains one of the largest growing categories of risks inside organisations.
This is because so many firms today are reliant on an ecosystem of partners that are granted access to their IT systems or entrusted with sensitive company data. One study from the Ponemon Institute shows that 59 percent of companies have experienced a data breach caused by one of their vendors or third parties.
These include software vendors, IT service providers, suppliers in their distribution chain and even outsourced digital marketing agencies, PR, accountancy or legal firms.
“Those are all third-party relationships that have access, to their customer data, financial data, certainly their intellectual property. All of those pose a real risk to their organisation,” said Valente.
“Unless they’re really diligent about that they could be exposing their organisation to more risks than they’re solving.”
However, as organisations’ reliance on third parties increases, the ecosystem grows more complex. The problem is then exacerbated by a failure to keep a comprehensive inventory of third parties.
You might also like
“They don’t have any idea how many third parties are in their ecosystem, and they’re only really doing a decent job of assessing a fraction. They might only do due diligence maybe on information security or a privacy assessment on their critical centres. But there’s no standard definition of critical…There may be a very small company that has access inside of your network, and if they got breached, it would expose a lot of your customers, maybe your employee or financial information.”
High profile third-party data breaches include British Airways and Equifax. Data breaches originating from a third-party – such as a partner or supplier – cost companies $370,000 more than average.
Preventing third-party attacks
Valente’s advice is that “an ounce of prevention is worth a pound of cure.”
This means firstly vetting the security of the companies that organisations do business with, align security standards, and actively monitor third-party access.
“An easy first step is just to agree on the definition of what a third-party relationship is. You need to get a comprehensive a catalogue as possible. Secondly, update your definition of what critical is; stop thinking in very traditional antiquated ways: ‘Well, they’re a printer, or maybe they deliver food into our offices.’ Yes, but if you’re giving them access to your system or to your network there’s a good chance that you’ll be breached. It’s a funnel right into your organisation.”
Valente also says that firms should include actively monitor third-party access as contracts expire and have an ‘offboarding’ process. “It is critical that they return access and data, and you de-provision them.”