To compete in a global marketplacefull of disruptors, organizations are rapidly expanding their reliance on outsourcing, cloud providers and other services that speed up time to market.
But with agility also comes cyber risk. As companies have maintained focus on their own defenses, cyber criminals have realized third parties are the attack path of least resistance.
And if their success continues, your data, intellectual property and trade secrets are at risk. But how do you leverage the speed of outsourcing and simultaneously protect your data and trade secrets?
The vast majority of third party cyber risk management market programs we encounter lack scale, speed and efficiency. These programs are based on archaic processes like sharing spreadsheet based questionnaires and manual processes.
But according to PwC’s 2016 Global State of Information Security report, third-party contractors are the biggest source of security incidents outside of a company’s employees.
So why are organizations still using a cobbled together process of GRC tools, external consultants, spreadsheets and internal resources?
At CyberGRX, we believe security and risk professionals do not have appropriate tools to fight the third party cyber battle. A cobbled together process of GRC tools, assessment services and “shared spreadsheets” is no match for a sophisticated adversary.
In a January 2017 report, SurfWatch Labs found “the percentage of cybercrime linked to third parties nearly doubled over the past year – and that only includes publicly disclosed breaches.”
Here are three trends driving organizational need to improve today’s third party cyber risk management process:
1. Explosive Growth in Outsourcing and Growing Consumption of Third Party Services.
Organizations are relying on third-parties to improve the way systems function. And for good reason. Deloitte’s 2016 Global Outsourcing Survey (PDF) found that businesses outsource to reduce costs and drive innovation. And all indicators suggest that outsourcing is here to stay. The average Fortune 500 company has over 20,000 different vendors in 2016. In 2017, companies are expected to bring on even more third parties and will continue to do so into the foreseeable future.
Yet, cybersecurity professionals have not been able to keep up with this explosive growth. According to a survey by PwC, 74% of respondents didn’t have a full inventory of third parties that handle confidential data. Part of this stems from how companies define “insiders”.
Insiders should be classified as anyone with physical or remote access to an organization’s assets. In the past, organizations could simply view “insiders” as employees. But many third parties have also become “insiders” as they are entrusted with sensitive data that hackers would love to get their hands on. Some examples being:
Businesses need to broaden their view of insiders and take appropriate steps to ensure cybersecurity.
2. Bad Guys are Targeting Third Parties
Last year, third party cyber attacks reached a tipping point. Businesses worldwide lost more than $400 billion to hackers. Statistics show that third parties were the source for at least 50 percent of these incidents:
3. Regulatory Pressure From Every Angle – Regardless of Industry
Regulators, across all industries, are required to examine businesses on their compliance to cyber security laws. Some of the most common laws being, PCI, NERC, FISMA, HIPAA, SOX and GLBA. Recent trends in outsourcing and cybercrime have forced industry regulators to put pressure on organizations to better manage third party cyber risks.
For example in 2013, the Office of the Comptroller of the Currency issued “Third-Party Relationships: Risk Management Guidance.” In this bulletin, the OCC clearly states that that banks must have a complete understanding of new third parties. According to the OCC:
“A bank’s use of third parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner and in compliance with applicable laws.”
These types of guidelines have been adopted across all industries. Yet, most organizations have not been able to keep up with the complexity regulators require. Organizations must ensure that their third-parties comply with vague standards, complete different auditing frameworks, and implement various “best practices.” All while doing their best to limit use of internal resources. Most find this to be a wasteful and complex approach to managing third-party cyber risks, desperately in need of simplification and improvement.
To repair the current broken process used by many organizations today, businesses need to focus on four areas:
For Third Parties: Get assessed once and share with many. Utilize a risk exchange to scale your response capabilities to drive scale and shake out costs.
Digital ecosystems will continue to grow. Bad guys will continue to prey upon the path of least resistance – third parties. It’s up to you to ensure your organization takes a comprehensive and risk based approach – rather than focusing solely on compliance.
About the author: Scott Schneider is head of Business Development at CyberGRX. He is responsible for implementing go-to-market and growth strategies. Previous to CyberGRX, Schneider led sales & marketing at SecurityScorecard, Lookingglass, iSIGHT Partners and iDefense, now a unit of VeriSign.
This post was originally published on http://www.infosecisland.com/rss.html.