By Shanna Utgard, Cybersecurity Success Manager, Defendify
We've seen a significant increase in organizations falling
victim to the latest cyberattack, resulting in a costly trove of compromised business
and customer data. Any breach requires significant time, resources and money to
remediate, not to mention the unintended costs like legal fees and the potential
loss of customer trust and new business opportunities. Recent studies have shown that the
average cost of a data breach to businesses can range from $120,000 to $1.24
million, and that's strictly looking at the non-enterprise market.
How does this happen when organizations are seemingly
following all the right steps to ensure their data is secure? The culprits can
often be the organizations you trust and willingly gave keys to your data: your
partners and vendors.
The Ramifications of Cyber Threats Are Far-Reaching
Cyber threats have grown in sophistication in today's
increasingly hyper-connected world, so it's critical to scrutinize all
potential entry points. External partners
and vendors are important to your business, but if left unchecked, they could unintentionally
compromise the security of your data.
In fact, before granting access to your data, you hold
the burden of responsibility to ensure your business partners have healthy
cybersecurity practices in place. Consider, for example, the confidential
documents or files detailing intellectual property (IP) that a law firm might
store about their clients and business partners. Not only could exposing this
type of data have far-reaching consequences, but an undetected cyber breach may
allow bad actors to gain access to other integrated systems, networks, or applications
and cause further damage.
So how can you properly vet your partners and vendors? Start
with a thorough cybersecurity risk assessment.
The Cybersecurity Risk Assessment
Larger enterprises
have been conducting cybersecurity risk assessments on their external partners
and vendors for years, but this is an important practice for organizations of
all sizes. Cyber attackers may use external providers to "island hop". This
catchy term is a play on the military strategy of World War II where the United
States utilized smaller islands to get to their larger targets. Threat actors
use organizations with less advanced cyber protections to gain access to other
entities. A breach of your systems may lead to infecting a vendor, or your
third-party may cause a breach of your systems.
From the Target breach to the Solarwinds attack, we continue to be
reminded how important it is to understand the security weaknesses of your
vendors and partners and how they could put your data at risk.
A cybersecurity risk assessment will require your vendors
and partners to disclose the policies,
procedures, and tools they use to protect data across their organization, and
what potential security gaps could potentially lead to a compromise.
The assessment should include questions about technology
solutions and cloud applications used, data storage and protection methods, employee
cybersecurity training tactics, and data use policies and incident response plans,
company cybersecurity testing processes and more.
This task might
seem daunting to some, but consulting key security frameworks like the NIST Cybersecurity Framework will guide what you should look for. You can
reduce the complexity of assessing the cybersecurity posture of your third-party
providers by using a cybersecurity
assessment tool. The tool
should map assessment questions to security frameworks like NIST, CIS, HIPAA, or
GDPR. The result should be a detailed report that includes an overall
cybersecurity "grade", a list of security gaps, and recommended next steps on remediating
vulnerabilities.
Remember, it is
not just your organization's data you need to be mindful of, but also your
customers' data. Requiring regular cybersecurity assessments from your external
partners and vendors not only reduces the risk of a breach but can show your customers
and prospects that you go above and beyond to protect their data - a nice potential
value-add that differentiates you from your competition.
##
ABOUT THE AUTHOR
Shanna Utgard, Cybersecurity Success Manager, Defendify
CRN Women of the Channel winner, Shanna Utgard, has been helping organizations without security teams, including IT service providers, build stronger cybersecurity programs beyond traditional methods. As an accomplished training professional, Shanna frequently speaks on a broad range of cybersecurity topics, from prevention tips to scaling revenue through cybersecurity.