Cyber Risk Grows with Third-Party Reliance
Outsourcing internal functions to third party providers gives a boost to productivity and can reduce operating costs. But heavier reliance on third parties increases your company’s attack surface, making it more vulnerable to cyber attacks. For example, a 2018 survey of more than 1,000 CISO and security and risk professionals in the U.S. and U.K. found that 61 percent of their companies faced a data breach because of a vendor or third party. Even more worrying, more than a fifth of those surveyed security and risk professionals said they did not know if their employer had experienced a third-party data breach during the past 12 months.
Third-Party Cyber Risk Management Red Flags
Across industries, high costs and limited scale characterize third-party cyber risk management programs. As a result, many have languished, even as the need for them has grown. Absent robust tools to manage their third-party relationships, organizations are struggling to scale inefficient processes to meet the new demands of regulators and business partners for third-party risk assessments. How do you know whether your current third-party risk and third-party cyber risk management practices are mature or immature? Below, we’ve included some “red flags”.
Lots of Buck, Very Little Bang
Spending a lot on third-party risk management with little to show for it is perhaps the best indicator that your TPCRM processes need to be re-evaluated. Among other things: consider how much you’re spending on assessments compared with what percentage of vendors are covered by them.
Devils You Know
Immature third-party cyber risk management programs typically address only a portion of an organization’s third-parties, and often not the vendors who pose the greatest risks. Consider how many vendors your current TPCRM program covers and whether the vendors covered are those that pose the highest risk to your organization. Spending handsomely to achieve a small reduction in risk is rarely advisable. Also consider how many full- and part-time cyber risk analyst positions you’re supporting simply to validate vendor responses.