Because there are so many different kinds of third parties, identifying whether they do or don’t have the right infrastructure or security protocols can be a challenge. Moreover, doing the proper due diligence needed to vet third-party vendors can be costly and time consuming.
As so many organizations rely on a variety of different providers, third parties can become the gateways to the network. In order to mitigate the risk of a breach from a third party, enterprises need to design a vetting process and understand the language of the service-level agreemen in order to best evaluate their contracts.
Yong-Gon Chon, CEO of Cyber Risk Management said, "There isn’t a single cloud service provider that offers SLA for security. Uptime, visibility, yes, but there is no equivalent for security. Most say we have this amount of response time for this kind of data breach, or we will notify you in this amount of time if we find this kind of vulnerability."
The issue, said Chon, is that security is invisible. "It only becomes tangible when things go wrong." If enterprises know what they stand to lose when things go wrong, they can make security more tangible before it becomes an issue.
"They need to have a handle around what their most valued data assets are within their business," said Chon.
Asking questions like, 'What would happen if that information were breached, stolen, or ransomed out of the organization? What do users have access to? and What can they copy or delete?' will give enterprises a clear understanding of how that information flows inside and outside of the organization. "They need a road map to say this is what we should and should not trust with our third parties," said Chon.
When many organizations are looking to move out to the cloud, there isn’t a full appreciation for what the provider will give them up to and including what security they are providing. Chon said, "They need to understand to whom they are providing access, and they need to be aware of the rules and regulations that govern that."
There is a dividing line between those third parties that pose greater risk and those that provide a greater level of assurance. That line is the safeguards and policies that the third parties have achieved.
"There are what I would call minimum level of safeguards. Following a risk management framework provides some level of assurance that they have achieved a bar, that they have the right policies, and that they are training their people. There is awareness and an ability to protect their data and they have some certification or validation of those controls," Chon said.
The organizations that are really leading the way are the ones in heavily regulated environments, said Chon, but the other industries don’t have that same regulatory environment that requires strong oversight of third parties. As a result, these organizations in other sectors are looking to emphasize how to trust their third-party providers.
Sign up for CIO Asia eNewsletters.