To Better Manage Cybersecurity Risk, Extend Zero Trust Principles to Third Parties – TechCrunch

Today’s cybersecurity landscape requires an agile and data-driven risk management strategy to deal with the ever-expanding third-party attack surface.

When an organization outsources services by sharing data and network access, it inherits cyber risk from its vendors through their people, processes, technology, and that vendor’s third-party vendors. A typical company works with an average of nearly 5,900 third parties, which means companies are at tremendous risk regardless of how well they cover their own fundamentals.

For example, according to a report by Black Kite, 81 individual third-party incidents resulted in more than 200 publicly reported violations and thousands of ripple-effect violations throughout 2021.

The current outside-in approach to third-party risk management is inadequate. Instead, the industry needs to move toward a new approach to third-party risk management by initiating conversations beyond outside-in valuations. In particular, organizations should establish zero trust principles for all vendors, assess the risk of external and internal assets with inside-out ratings, and measure cyber risk in real-time.

The Zero Trust principle of “never trust, always verify” is widely used to manage internal environments, and organizations should extend this concept to third-party risk management.

To counter this, companies need to view vendors as part of their business.

The looming threat

The amount of data and business-critical information that a company shares with its vendors is overwhelming. For example, a company may share intellectual property with manufacturing partners, store personal health information (PHI) on cloud servers for sharing with insurers, and provide marketing agencies with access to customer data and personally identifiable information (PII).

This is just the tip of the iceberg, and most companies often don’t realize how big the iceberg really is. In a survey conducted by the Ponemon Institute, 51% of companies surveyed said they do not assess the cyber risk exposure of third parties before allowing them access to confidential information. Additionally, 63% of organizations surveyed said they have no visibility into what data and system configurations vendors can access, why they have access, who has permissions, and how the data is stored and shared.

This vast network of companies sharing real-time information creates a massive attack surface that is increasingly difficult to manage. To address this challenge, organizations leverage cybersecurity initiatives such as questionnaire-based onboarding surveys and security assessment services in their third-party risk management strategies.

Although these tools have specific use cases, they also have serious limitations.

Cybersecurity assessment services are a quick and inexpensive approach to third-party risk assessments. Their simplicity – which represents a provider’s cyber risk as a score, like credit ratings in financial services – makes them a popular choice despite the limitations.

About Rachael Garcia

Check Also

Facility Management Market in Saudi Arabia Reaches $34.86

PUNE, India, June 20, 2022 (GLOBE NEWSWIRE) — The Saudi Arabia facility management market size …