To better manage cybersecurity risk, extend zero-trust principles to third parties

Data-driven risk management is needed to deal with the ever-expanding third party attack surface.

The cyber risk from its vendors across their people, processes, technolog, and that vendor's third parties can be passed on to the business when it outsourcing. Despite how well they cover their own bases, companies face a huge amount of risk because they work with an average of nearly 5,900 third parties.

According to a report by Black Kite, 81 individual third-party incidents led to more than 200 breeches and thousands of ripple-effect breeches throughout the year.

The current approach to managing third party risk is not adequate. It's time for the industry to start talking about a new third-party risk management approach. Businesses should establish zero-trust principles for all vendors, assess risk across external and internal assets, and measure cyber risk in real time.

The zero-trust principle of “Never trust, always verify” has been adopted widely to manage internal environments, and organizations should extend this notion to third-party risk management.

Vendors should be considered subsets of the enterprise's business.

The looming threat

The amount of data shared by an enterprise with its vendors is staggering. Sharing intellectual property with manufacturing partners, storing personal health information on a cloud server, and giving marketing agencies access to customer data are all possibilities.

Most businesses don't know how big the whole thing is. According to a survey conducted by Ponemon Institute, a majority of companies don't assess the cyber risk posture of third parties before giving them access to confidential information. More than half of the companies don't have visibility into what data and system configurations vendors can access, why they have access to it, who has permission and how the data is stored and shared, according to a survey.

A large network of businesses sharing information in real-time results in a vast attack surface is becoming increasingly difficult to manage. Businesses use questionnaires-based on-boarding surveys and security rating services to overcome the challenge of cyberattacks.

These tools have use cases but have limitations.

Third-party risk assessments can be done with a Cybersecurity rating service. Their simplicity, like credit ratings in financial services, make them a popular choice.