How Can I Tell If My Third-Party Vendors Are Adequately Protecting Organizational Data From Hackers?
FTI Consulting’s Global Head of Cybersecurity, Anthony J. Ferrante, answers the question every organization must confront as the risk of a cyber attack grows. This is the fourth of four articles for National Cybersecurity Awareness Month (October) from FTI Cybersecurity.
With the growing complexity and sophistication of the corporate environment, many organizations today are outsourcing their business operations such as accounting, benefits and IT, to third-party vendors. Their goal is to better realize efficiencies and cost savings.
This trend comes with a great deal of implicit trust. And risk. Data shared with a third-party vendor can leave you vulnerable to exposure by hackers who see the vendor as a “back door” for attacking the network of the larger, more valuable enterprise. In one survey, 53 percent of organizations said they had experienced one or more third-party data breaches over the past two years, with the average cost of $7.5 million to remediate.
Like any potential partnership, the first place to start when vetting your vendor is in the due diligence phase. Evaluate them as you would other prospective vendors with questions about financial health and long-term solvency. Specific questions related to cybersecurity evaluation include: Are they open to a cybersecurity audit? How often do they assess their cybersecurity protocols? What is their incident response plan in the event of a breach? Answers to these questions should be backed up with solid documentation.
Want more insights from our latest content? Click here to subscribe based on your specific area of interest.
For a current vendor, start with the business unit within your organization that utilizes its services. You want to inquire about specific duties being outsourced and discover if any issues have arisen with shared data or confidential information.
From there, conducting a standard vendor assessment with the vendor that also gauges cyber risk is imperative. Are they running regular security assessments, and can they provide your team with written results? Review the use of credentials to access your data and the parties within their organization who use them. Does the firm have employee training protocols in the handling of sensitive data? Are their systems up to date with the latest iteration of email, operating systems, etc.? Do they understand and employ device security?
Hopefully you have a contract in place to confirm that all security measures are being followed. If you don’t, consider creating a service-level agreement that gives your company the right to audit the vendor’s compliance with your own security policies. You may also want to consider outsourcing the entire assessment process to a vendor risk management firm that specializes in cyber risk.
Eliminating all cyber risk is near impossible when you grant a third-party access to your data. But evaluation of prospective vendors and assessment of your existing roster can reduce the chances that your organization becomes victim to attack.
Read other articles in this series:
© Copyright 2019. The views expressed herein are those of the author and do not necessarily represent the views of FTI Consulting, Inc. or its other professionals.
Senior Managing Director, Global Head of Cybersecurity