Gaining a clear insight into what is being exposed is the first step in securing shared data. Lack of visibility is a common complaint amongst enterprise executives and network defenders. More often than not, the companies generating the data do not know what their partners are doing with it. Clear oversight is an area that needs to be addressed. Investment in third-party security is lacking. Security professionals who took this month’s Cybersecurity Buyer Intelligence survey said they simply do not have the economic resources required to get a clear picture of their data exposure landscape and which partners could pose a risk. This leads to multiple layers of communication and an inability to properly respond to data breaches. AuditBoard’s From Trust to Security: Third-party Risk Management Strategies and Challenges, in partnership with CyberRisk Alliance, covers security for your evolving IT operations by managing third-party risk.
Gain clarity on your environment. Most companies share their data with dozens of partners, and in some cases, hundreds or even thousands of outside parties can access internal data. This lack of clarity can become a massive security liability should one or more of those partners mishandle or expose data. Defenders need a full picture of who is accessing what to craft and enforce security policies effectively. Doing this requires building and maintaining a full inventory of data sharing.
Understand what is at risk. In addition to knowing who has access to what data, it is important to know how that data is being secured and what the cost of its exposure could be. Confidence in third parties is often at a minimum, as companies are given little insight into how their partners are protecting their own networks and securing their data. In addition, defenders often don’t have a clear picture of what the consequences would be should that data be compromised. As a result, effectively managing access to data and minimizing risk is essential.
Plan ahead for a third-party breach. Software vendors are considered the primary sources for third-party breaches, while fourth-party vendors are among the biggest worries for data security. In both cases, there is little defenders can do to address their security risks in both areas. When data security cannot be directly assessed, it is important to control the classification of data and access level. Companies are encouraged to adopt methods of directly controlling data
- The State of Third-Party Risk: Complexity abounds. Getting ahold of your third-party security strategy begins with getting a clear picture of who you are working with and in what context. For many enterprises, this is easier said than done as dozens of outside groups can be involved with various projects and contexts. Without a clear view of the third-party security landscape, it is nearly impossible for administrators to craft effective policies and protections. Our survey found that in many cases, enterprises will find themselves working with dozens of outside partners on projects that require access to internal data. Forty percent of those surveyed report their company is working with more than 50 third-party contractors, and 15% say their company is working with more than 250 outside partners. This creates an environment where even the most well-planned security strategies suffer from blind spots and vulnerabilities created by unsecured third parties.
- Partnerships are based on (possibly misplaced) trust. Having confidence in a third-party partner relies largely on trust, and for many enterprises that trust has little in the way of verification. Companies are increasingly reliant on superficial methods for assessing and maintaining the trust level they have for their partners. Fifty-eight percent of those surveyed say that they undertake annual risk assessments of their third-party partners, and 54% say they consider their assessments to be “in-depth” in scope. Lack of visibility in their partners’ security controls remains a top concern for companies, particularly when it comes to fourth-party subcontractors.
- A lack of visibility and access to third-party security assessments is driving areas of concern for companies looking to secure their data. Not only are security professionals faced with a lack of visibility into how partners are handling their data, but they also lack sufficient tools and standards to properly assess and maintain oversight of how that data is handled.
Effective data security is not solely an internal matter; it extends to the policies and practices of third-party partners. Enterprises must prioritize gaining clear visibility into how their data is accessed and handled by these partners. Download your free copy today to learn more.
