Cyber risk is often unaddressed in the due diligence process of vetting or monitoring a third party. Therefore, transfer of cyber risk is an afterthought and a common blind spot. With the ease and accessibility of outsourcing core competencies, this risk continues to be a big issue. It’s not enough to strengthen your own cybersecurity posture. Instead, you must also consider the policies, standards, and defenses of your third party partners who also have access to your network.
Ponemon Institute’s “Data Risk in the Third-Party Ecosystem” study found that 61 percent of United States companies surveyed said they have experienced a data breach caused by their vendors or third parties. This is an increase of 5 percent from 2017 and continues to rise. With the General Data Protection Regulation (GDPR) being in effect, the high cost of reputation damage and down time post breach, and constantly evolving threat environment, the risks associated with third party attacks continue to escalate every day.
Why are third party breaches so common?
Service providers commonly have advantaged access to multiple customer environments and are inherently trusted to store and protect confidential information. This makes it easy for cybercriminals to access a large amount of data in one swoop and eliminates the need to target multiple sources.
Third party breaches are often more costly
Third party involvement in a breach significantly increases the cost of the breach. Ponemon Institute’s “2018 Cost of a Data Breach” study showed that if a third party causes a data breach, the cost increases by more than $13 per compromised record for an adjusted total average cost of $161 per record.
How can you reduce third party cyber risk?
Hackers often exploit weak links such as untrained employees and unpatched vulnerabilities. Cybersecurity awareness training will mitigate phishing attacks and regular patching updates in third party software will secure known vulnerabilities.
A proactive cybersecurity program that can evolve with your business and accommodate new regulations will decrease the likelihood of a data breach. It’s important to integrate the latest best practices, remediate known vulnerabilities, and identify and assess issues proactively before they develop into real problems. Always perform cyber due diligence and hold your partners at the same level of security standards [or higher] that your company maintains.