.gif?width=1920&name=Sample-Graphic-Animation%20(1).gif)
Available on
Podcast Transcript
Hi, this is Lisa Hill with Venminder.
In this podcast, we’re going to discuss six best practices to continuously manage third-party cybersecurity risks. Many third parties have access to your organization’s sensitive information. So, failing to manage that risk can lead to an increase in third-party data breaches, ransomware attacks, and operational failures.
Here at Venminder, we have a team of certified cybersecurity experts that help organizations identify, assess, and manage third-party cybersecurity risk.
New cyber threats are constantly emerging, so it can be difficult to identify and manage third-party cybersecurity risks. However, it’s really an essential practice to keep your organization and customers protected from third-party cybersecurity incidents. Although these incidents are never completely preventable, managing a third party’s cybersecurity risk can really help identify issues earlier, which can lessen the impact overall.
You have to remember that any third parties that access, process, store, or transmit your organization’s data should be thoroughly assessed for cybersecurity risk and then regularly monitored throughout that relationship.
Let’s take a few minutes just to look at six best practices to help guide your organization through this process:
- The first best practice that I would suggest is to set data breach notification requirements right in your third-party contracts. You can’t really effectively respond to and mitigate third-party incidents if your organization is left in the dark. So, these notification requirements should specify a time frame for the third party to report an incident to your organization. You want to consider regulatory requirements that your organization has to follow, and this can generally be 24 to 72 hours after an incident is discovered. The third party should also inform your organization about the information that was impacted, how they’re responding to that incident, and then any actions they’re taking to prevent future breaches.
- Second, you want to make sure you understand all aspects of how your third party will interact with your data. Know the type of information your third parties will have access to, how they’re going to protect it, and whether the information will be shared with any subcontractors. Follow the principle of least privilege and really you should only share the data that’s necessary for your third parties to perform their function. To protect your data, third parties should practice data encryption, follow strict policies for data retention, destruction, and privacy.
- The third practice that we recommend is to trust but verify. And this is a super common principle in cybersecurity as well as third-party risk management. Your third party is going to assure you that their strong cybersecurity practices are in place, but you have to always verify by reviewing their documentation through due diligence. Review independent audits like SOC reports, other items like cybersecurity policies and penetration and vulnerability test results. You might also want to request evidence of regular security training and social engineering testing. And really a qualified subject matter expert should be evaluating the documentation so that they can provide a detailed opinion of the third party’s control environment. If your third party is using other vendors to store, process, transmit, or access your organization’s data, you should also be verifying that they’re properly managing cybersecurity risk with their own vendors.
- Next, you want to ensure third parties have comprehensive incident detection and response plans. A cyber incident is generally defined as anything that affects the confidentiality, integrity, or availability of information or an information system. So, your organization should know how your third parties are prepared to identify incidents and then respond to them. Plans should include details about when and how the third party will notify you, how they'll investigate and remediate the incident, the documented response steps. The plans should also clearly outline roles and responsibilities, so that you know the person to contact during an incident.
- The fifth best practice is to document and remediate any issues with your third party’s cybersecurity practices. When reviewing your third party’s cybersecurity posture, you might come across issues or red flags or gaps. Maybe your third party’s incident detection or response plan hasn’t been tested in over five years. If this issue was discovered before you sign your contract, you have the leverage to require the vendor to remediate it within a certain time frame. If you discover issues after the contract has been signed, you’re going to want to work with your legal team to determine what your options are on negotiating the contract or agreement to communicate with the vendor to resolve the issue.
- And finally, consider using risk intelligence tools to consistently monitor third-party cybersecurity risks. These tools provide real-time data about current threats that may impact your third party and expose your organization to cybersecurity incidents. When you see elevated risks or trends over time, your organization can take action.
So by following these six best practices your organization will establish an effective strategy for managing third-party cybersecurity risk consistently.
Thanks for tuning in; catch you next time!
