Virtualization Technology News and Information
Know Who Has the Keys to Your Data

By Shanna Utgard, Cybersecurity Success Manager, Defendify

We've seen a significant increase in organizations falling victim to the latest cyberattack, resulting in a costly trove of compromised business and customer data. Any breach requires significant time, resources and money to remediate, not to mention the unintended costs like legal fees and the potential loss of customer trust and new business opportunities. Recent studies have shown that the average cost of a data breach to businesses can range from $120,000 to $1.24 million, and that's strictly looking at the non-enterprise market.

How does this happen when organizations are seemingly following all the right steps to ensure their data is secure? The culprits can often be the organizations you trust and willingly gave keys to your data: your partners and vendors.

The Ramifications of Cyber Threats Are Far-Reaching

Cyber threats have grown in sophistication in today's increasingly hyper-connected world, so it's critical to scrutinize all potential entry points. External partners and vendors are important to your business, but if left unchecked, they could unintentionally compromise the security of your data.

In fact, before granting access to your data, you hold the burden of responsibility to ensure your business partners have healthy cybersecurity practices in place. Consider, for example, the confidential documents or files detailing intellectual property (IP) that a law firm might store about their clients and business partners. Not only could exposing this type of data have far-reaching consequences, but an undetected cyber breach may allow bad actors to gain access to other integrated systems, networks, or applications and cause further damage.

So how can you properly vet your partners and vendors? Start with a thorough cybersecurity risk assessment.

The Cybersecurity Risk Assessment

Larger enterprises have been conducting cybersecurity risk assessments on their external partners and vendors for years, but this is an important practice for organizations of all sizes. Cyber attackers may use external providers to "island hop". This catchy term is a play on the military strategy of World War II where the United States utilized smaller islands to get to their larger targets. Threat actors use organizations with less advanced cyber protections to gain access to other entities. A breach of your systems may lead to infecting a vendor, or your third-party may cause a breach of your systems.  From the Target breach to the Solarwinds attack, we continue to be reminded how important it is to understand the security weaknesses of your vendors and partners and how they could put your data at risk. 

A cybersecurity risk assessment will require your vendors and partners to disclose the policies, procedures, and tools they use to protect data across their organization, and what potential security gaps could potentially lead to a compromise.

The assessment should include questions about technology solutions and cloud applications used, data storage and protection methods, employee cybersecurity training tactics, and data use policies and incident response plans, company cybersecurity testing processes and more.


This task might seem daunting to some, but consulting key security frameworks like the NIST Cybersecurity Framework will guide what you should look for. You can reduce the complexity of assessing the cybersecurity posture of your third-party providers by using a cybersecurity assessment tool. The tool should map assessment questions to security frameworks like NIST, CIS, HIPAA, or GDPR. The result should be a detailed report that includes an overall cybersecurity "grade", a list of security gaps, and recommended next steps on remediating vulnerabilities.

Remember, it is not just your organization's data you need to be mindful of, but also your customers' data. Requiring regular cybersecurity assessments from your external partners and vendors not only reduces the risk of a breach but can show your customers and prospects that you go above and beyond to protect their data - a nice potential value-add that differentiates you from your competition.



Shanna Utgard, Cybersecurity Success Manager, Defendify

Shanna Utgard 

CRN Women of the Channel winner, Shanna Utgard, has been helping organizations without security teams, including IT service providers, build stronger cybersecurity programs beyond traditional methods. As an accomplished training professional, Shanna frequently speaks on a broad range of cybersecurity topics, from prevention tips to scaling revenue through cybersecurity.

Published Friday, April 30, 2021 7:33 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<April 2021>