The ever-increasing privacy and security risks via third-party vendors and service providers were apparent in 2023 with news of large organizations such as MOVEit, Okta and AT&T being affected. Research has shown that 98 percent of organizations have at least one third-party vendor that experienced a cyber incident within the past two years. With this growing trend, it is increasingly important for organizations to develop robust third-party risk management programs and to consistently review their third-parties to safeguard against security threats and ensure the security and privacy of their data.
Understand third-party cyber risks
Third-party cyber risk can come from various sources, including suppliers, service providers, contractors, and even cloud service providers. The threat actors can access these third parties through inadequate security measures, vulnerabilities in the third-party software, or negligent employee practices. With this in mind, below are some steps organizations can take to mitigate third-party risks.
Create a vendor risk management program. Organizations should create a strong vendor risk management program to consistently assess, monitor, and manage third-party cyber risks. The VRM program should include regular risk assessments, audits, and continuous monitoring of third-party activities. In addition, contractual or partnership agreements should clearly outline security expectations, incident response protocols, and consequences for non-compliance.
Perform risk assessment and due diligence. Organizations should regularly conduct risk assessments and due diligence before entering partnerships or collaborations. Performing a thorough assessment of a potential third-party vendor’s cybersecurity practices and protocols includes reviewing their data protection measures, incident response plans, and overall security posture. Establishing minimum security standards and contractual obligations can also help mitigate risks and protect companies when a vendor breach occurs.
Conduct security training. Human error continues to play a role in cybersecurity and privacy incidents. Organizations should conduct regular comprehensive cybersecurity training for employees, including those working with third-party vendors. Educating employees about phishing attacks, social engineering tactics, and the importance of good cybersecurity practices can reduce the risk of inadvertent security breaches. Vendors should also be encouraged to invest in cybersecurity training for their employees and should be able to demonstrate that their employees receive regular training.
Implement multi-factor authentication and encryption. The use of multi-factor authentication can greatly enhance the security of sensitive data. Organizations should mandate the use of MFA and implement encryption protocols for data to add an extra layer of protection against unauthorized access. They should require their vendors to implement these MFA requirements, as well.
Conduct regular security audits and penetration testing. Conducting regular security audits and penetration testing are vital to an effective cybersecurity strategy. These assessments should be performed on internal systems and the systems of third-party vendors to help identify any potential vulnerabilities or weaknesses.
Protecting against third-party risk
Safeguarding against third-party cyber incidents requires a proactive approach. By understanding the risks, conducting thorough due diligence, implementing a vendor risk management program and comprehensive training, and taking advanced security measures, organizations can significantly reduce their vulnerability to third-party cyber threats. In an era where partnership is essential, investing in cybersecurity measures to protect against third-party risks is crucial for the success of any organization.
The Constangy Cybersecurity & Data Privacy Team assists businesses of all sizes and industries develop a comprehensive incident response plan or support with a breach. We are here to help! The Constangy Cyber Team is available 24/7. Contact us at breachresponse@constangy.com or by phone at 877-DTA-BRCH.
The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation.
Subscribe
Contributors
- Suzie Allen
- John Babione
- Bert Bender
- Jason Cherry
- Christopher R. Deubert
- Maria Efaplomatidis
- Sebastian Fischer
- Laura Funk
- Lauren Godfrey
- Amir Goodarzi
- Taren N. Greenidge
- Chasity Henry
- Julie Hess
- Sean Hoar
- Donna Maddux
- David McMillan
- Ashley L. Orler
- Todd Rowe
- Melissa J. Sachs
- Allen Sattler
- Matthew Toldero
- Alyssa Watzman
- Aubrey Weaver
- Xuan Zhou