Updated March 2021
Third-party and supply chain partners are often the weak link in cybersecurity programs. With weaker security measures, supply chain partners are a favorite target of attackers to gain access to larger organizations. Because of this vulnerability, larger organizations are instituting more comprehensive cybersecurity requirements for all third-party suppliers.
As many as 80 percent of CIOs and CISOs polled in a new 2020 report from BlueVoyant say they have experienced a breach originating with a third-party vendor in the last year. The research also points out the reason behind this high frequency of breaches; only 23 percent are monitoring their third-party vendors.
Relying on third-party suppliers and supply chain partners who bring their own cybersecurity measures and protocols often create a patchwork approach that is prone to errors. According to Shawn Waldman, CEO of Secure Cyber Defense, “Patchwork cybersecurity programs have led to substantial breaches because companies don’t have plans and processes in place for properly managing outside access to a network. Establishing a more ridged cybersecurity process for any third-party vendor who has access to your network, and what exactly they have access to, is the new standard to manage risk.”
Organizations are now requiring the ability to monitor, identify risk, and isolate threats throughout all third-party systems accessing their network, particularly those with access to highly sensitive customer and financial data. It isn’t enough to evaluate third-party suppliers once; organizations need a plan to monitor and access threats continuously. There are a number of cybersecurity frameworks available to help third-party vendors manage their compliance and risk including those from NIST and and the CIS Top 20 Controls.
The good news for third-party suppliers is that once they achieve higher levels of cybersecurity and compliance, business opportunities with larger companies open up. While a company’s products and services may be the main draw of larger organizations, having a third-party organization compliant with their more stringent cybersecurity requirements becomes a significant competitive advantage. A recent Vodaphone report found “86% of high-growth companies are seeing cybersecurity as an enabler of new business opportunities, rather than simply a means of defense.”
Secure Cyber Defense works closely with organizations mapping out their cybersecurity strategy while establishing a protocol for onboarding suppliers and third parties who link with critical systems and databases. Secure Cyber Defense recommends regular cybersecurity assessments of third-party access and potential vulnerabilities. As a CIS SecureSuite member, Secure Cyber Defense offers a number of tools and approaches for evaluating and managing third-party vendor cybersecurity risk. “You can outsource systems and and services, but you cannot outsource your risk,” says Waldman.