Navigant's Cyber Risk and Information Security PracticeLearn More

Blog

Third-Party Vendors16 March 2017

By
IT Security, Risk Management

In today’s business world, it is nearly impossible to find an organization that does not contract a third-party vendor of some sort. However, the convenience and flexibility of outsourcing is not without significant cyber security risks. To exemplify, sixty-three percent of data breaches have been traced to third-parties.

A firm’s cyber security posture is only as strong as that of its vendors. As a result, organizations must incorporate these cyber security risks in to their third-party vendor relationships. Here’s how:

  • Integrating security requirements into the initial vetting process will significantly limit any negative outcomes.
  • Creating a third-party risk management program that incorporates metrics revealing the vulnerabilities created by the third-parties in your organization and including how to respond in the event of an incident.
  • Asking if your vendor outsources your information. If so, make sure this fourth-party is employing the same cyber security standards as your vendor and your organization.
  • Protecting your institution’s interests with a strong contract that specifies key performance measures, service-level agreements, and benchmarks. Require all devices that possess your proprietary information be encrypted.
  • Even when your data is being hosted by a third-party, you are likely still responsible for keeping it secure. Ask your vendor for a list of their responsibilities so it is clear what each party must do to safeguard your data.
  • Require ongoing maintenance of third parties. Today’s threat environment is constantly changing, creating new risks to the enterprise. Organizations need a dashboard in place to provides up-to-date risk analyses.

Cyber security has no boundaries and as a result there is no standardized cyber risk assessment available. Therefore, businesses must make an ongoing effort to identify vulnerabilities within their organization and the organizations they outsource to. COMPASS’ enterprise risk management approach helps companies mitigate their risks through assessing the people, policies, and technology within the organization.

As COMPASS is vendor agnostic, it allows us to take a holistic and informed approach to third-party vendor selection. If you would like to discuss vendor options, please reach out. For more information, download our Third-Party Vendor Due Diligence Guide.

Work With Us Learn How