1.888.900.DRIZ (3749)
The Driz Group
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog

Cybersecurity Blog

Thought leadership. Threat analysis. Cybersecurity news and alerts.

2/13/2020

0 Comments

Third-party Risks: A New Frontier and a Major Concern for Businesses

 
third-party risks

Third-party Risks: A New Frontier and a Major Concern for Businesses

Outsourcing to third parties helps businesses free up time and resources, both of which can be channelled back into core business tasks.

But whether the third party provides accounting, marketing, IT support, HR/Payroll, customer service and support, or any other service, working with them carries an inherent element of risk. After all, these companies have access to sensitive data — contact details for employees and customers, payment information, login details for essential software and tools, and at times to company’s intellectual property.

And a cybersecurity breach could cause this data to fall into the hands of criminals. While most companies are well aware of this danger, too many fail to take action: 77 percent of Canadian small businesses are concerned about being hit by a cyber-attack, but 36 percent choose not to invest in effective security.

That’s a huge oversight. But it’s understandable that small businesses using third-party services for the first time overlook the need for caution when choosing a provider. Third-party risk is something of a new frontier, and technology continues to advance faster than non-experts can keep up with.

This creates a disconnect between businesses and the services they are paying for. As a result, a huge amount of trust is required, and third parties have to be transparent about how they use client data, their security measures, policies and procedures, and more.

In short: due diligence is critical when working with third parties, but what steps can businesses take to mitigate their risk?

Focus on Experienced Vendors and Don’t Cut Corners

Small and medium businesses might be tempted to go with the cheapest third-party service provider in their area. Money can be tight during the early years of building a brand, and usually for some time beyond, too.

But businesses can’t afford to cut corners when choosing vendors responsible for key services and with access to sensitive data.

Always take the time to do your due diligence and find a vendor with provable experience working with companies like your own. They should have a portfolio of satisfied clients they can discuss and be happy to provide references. Even if one of their past clients is in a different industry to your own, a positive experience should give real peace of mind and lend the vendor credibility.

Check for attestations and certifications from leading security brands on the vendor’s website. These are an excellent trust signal, and indicate the team takes its security seriously. Awards from leading publications or organizations reinforce a vendor’s credibility, too.

Make sure to look the vendor up online and search for reviews. And if negative feedback is in short supply, remember that bad reviews may not be genuine. The service provider might be willing to discuss them and share some insight into why they aren’t to be trusted.

Speak to other business-owners and try to find recommendations for reliable third parties in your area. While price is obviously a major factor in your decision, don’t compromise too much just to save a few dollars.

Check their Program for Security Risk Assessments

Take steps to determine the vendor’s approach to security risk assessments, and how regularly they conduct them.

Beware of any team which can’t tell you when they last reviewed their security set-up or what steps they would take if they discovered a data breach. They should be well aware of all potential risks, which measures are necessary to prevent them, and how to communicate these to you in a language you understand.

Reliable vendors will take immediate action to fill any gaps they notice in their cybersecurity posture during assessments. They need to know which cybersecurity attacks their system is particularly vulnerable to, and how a successful attack would disrupt their services.

It’s also vital to find out what a vendor’s plan is for informing clients about a breach, and how they mitigate dangers. This should be documented and well-defined: beware of vendors who seem to be making their plans up on the fly. You want them to be transparent, well-prepared, and in control.

Keep Track of Access

Catalog which tools and files your third-party vendors have access to. You need to know which departments or individuals have permission to use your data, and you can’t always be sure this won’t be misused (by accident or design).

Ask vendors to explain why they require access, and don’t be afraid to get a second opinion if their reasoning doesn’t ring true. A reliable team will be able to explain their requests clearly.

Make sure to check files and tools on a regular basis, to confirm everything is as it should be. Report the first sign of any discrepancies.

Build Your Own Contingency Plans Around Vendors

You need to be prepared for an attack, no matter how good your vendors are, it’s no longer a matter of “if” but a matter of “when”. And this has to go deep, too, so your entire business knows how to proceed if the worst happens.

Think about critical systems which your daily operations depend on. If they were to go down, what processes could your workforce continue to perform? What alternative systems do you have to rely on, if any?

Determining the level of damage, a cyber-attack would make on your company, and identifying ways to mitigate that, is crucial.

Next, consider the incident response readiness and the team. Which employees would be most valuable in this group? How would they be alerted to an incident and how long do you expect it to take for them to go into action?

Another important process to focus on when building your contingency plans is testing. Running experiments can help you assess the quality of your response to attacks, the length of time it would take to communicate with vendors, and how long it might take to get your systems operating again.

Try to make tests a learning process, so you can see where improvements are needed. You might find your vendor is hard to reach in a crisis, or they seem ill-equipped to provide the fast response promised. Either is a major red flag.

Third-party risks can increase businesses’ vulnerabilities to attack, but a cautious, strategic approach to choosing and monitoring vendors can help to keep you safe.

A professional security consulting service will help you understand the risks you face when working with third parties, how to manage them better, and keep your security at its best. ,

Better yet, some cybersecurity firms can help you implement an affordable and automated third-party assessment programme, including initial due diligence and on-going monitoring.

Want to schedule a free consultation and start improving your third-party cybersecurity posture? Just get in touch with our team now!

0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Archives

    March 2023
    February 2023
    January 2023
    December 2022
    June 2022
    May 2022
    February 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    October 2016
    August 2016
    May 2016
    March 2016
    January 2016
    November 2015
    October 2015
    August 2015
    June 2015

    Categories

    All
    0-Day
    2FA
    Access Control
    Advanced Persistent Threat
    AI
    Artificial Intelligence
    ATP
    Awareness Training
    Botnet
    Bots
    Brute Force Attack
    CASL
    Cloud Security
    Compliance
    COVID 19
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyberattack Surface
    Cyber Awareness
    Cyber Espionage
    Cybersecurity
    Cyber Security
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Cybersecurity Tips
    Data Breach
    Data Governance
    Data Leak
    Data Leak Prevention
    DDoS
    Email Security
    Fraud
    GDPR
    Hacking
    Impersonation Scams
    IoT
    Malware
    MFA
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    SaaS Security
    Social Engineering
    Supply Chain Attack
    Supply-Chain Attack
    Third-Party Risk
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security
    Zero Trust

    RSS Feed

Picture

1.888.900.DRIZ (3749)

Managed Services

Picture
Web Application Security
​Virtual CISO
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
Privacy Policy | CASL

About us

Picture
Testimonials
​Meet the Team
​Subsidiaries
​Contact us
​Blog
​
Jobs

Resources & Tools

Picture
​Incident Management Playbook
Sophos authorized partner logo
Picture
© 2023 Driz Group Inc. All rights reserved.
Photo used under Creative Commons from GotCredit