The month of October is famously associated with scares. But for businesses, ghosts and witches are far less scary than a risk that hangs over every modern organization: cybersecurity threats. This October marks the 18th Cybersecurity Awareness Month, an initiative meant to encourage people and businesses to prepare for the cyber risks now all around us.
Luckily by now, most businesses know to take cybersecurity seriously. Enough horror stories make the news each year to keep executives up at night—this year’s main boogeyman was Solarwinds. But as the cybersecurity industry grows alongside awareness of cyber risks, there’s one aspect of cybersecurity a lot of businesses aren’t giving enough attention to: third party cybersecurity risks.
6 Reasons to Make TPRM a Cybersecurity Priority
Third party risk management (TPRM) is an important part of any solid cybersecurity strategy in 2021. Third party risks are those that are introduced via the relationship you have with another organization, such as software you use or a subcontractor you hire. These kinds of third party vulnerabilities are a lot bigger and scarier than many businesses realize.
1. Third party risks are on the rise.
A 2020 State of the Supply Chain report found that supply chain attacks, one of the most common forms of third party cybersecurity threats, are up 430%. Hackers have gotten wise to the fact that large organizations that make big investments in security often work with smaller vendors who don’t. More and more often, bad actors are looking for ways to get at the big guys through other organizations they work with.
For them, this is a powerful option. With the Solarwinds breach, a vulnerability in one software product gave hackers potential access to 18,000 organizations around the world—including heavy hitters like the U.S. military and the country’s top telecommunications companies. Cybercriminals around the world see successful examples like this, and they see an opportunity they can exploit as well.
2. The cost of third party breaches is no less than direct attacks.
It would be nice if another company’s oversight could stay their problem. But if your relationship with another company puts your customers’ information at risk—none of them will care that your business wasn’t directly at fault. The cost in time, money, and reputation will fall on you at least as much as it does on the third party that hackers used to get to you.
When Target was at the center of a famous data breach in 2013, no one considered the company less responsible because a hacker used third party credentials to get to them. They still had to pay an $18.5 million settlement, and face the PR nightmare the breach caused.
3. A third party attack can take longer to notice.
A ransomware attack on your own system is hard to miss. But a hacker using a third party system to access sensitive data? That’s something you could go months or years without even noticing. This is yet another notable lesson from the Solarwinds hack. It took months for a cybersecurity firm to realize the attack had even occurred. How much damage could a hacker with months or years of access do?
4. Modern businesses can’t avoid third party relationships.
No business is an island. The modern business world is complex, and most organizations need to work with hundreds, if not thousands, of vendors in order to do their work effectively. On average, companies work with 583 third party vendors, and enterprise companies have relationships with many more. You can’t reduce risk simply by opting out of third party relationships. Doing business depends on having them.
5. Your cybersecurity procedures are only as strong as those of your weakest third party.
Every relationship you enter into poses new cybersecurity risks. Worse than that, the relationships each of those vendors enter into could put you at risk as well, making the issue exponential. Hackers know that the big organization with an impressive reputation probably has strong security procedures, so they’ll look for the smaller guys you work with to see if they can find a vulnerability there. They only need to find one weak link to get you.
6. There’s no easy software fix for third party risk.
For a lot of business problems today, the easy fix is to purchase a technology solution that solves (or at least helps with) the problem. That’s part of why companies have so much third party risk, to begin with—investing in hundreds of software products adds to the list of third party vendors you work with.
But third party risk is one problem that doesn’t have an easy tech solution. There’s no one software product that can help you manage the problem effectively. Instead, it takes a mix of technology and business processes. It’s hard to do well and requires ongoing work to stay vigilant.
Use Cybersecurity Awareness Month to Get Prepared
TPRM isn’t easy, but that doesn’t make it any less important. Cybersecurity Awareness Month offers a good reminder to get your vendor risk management processes in order to protect yourself. Take advantage of the cybersecurity resources available to you, such as stopransomware.gov and the Internet Complaint Center (IC3). Develop clear policies and SLAs (service level agreements) for the vendors you work with, to confirm that their processes meet your standards.
And develop a plan now for how to identify cybersecurity breaches when they occur, and what to do once you do. You’ll be much better prepared for a worst-case scenario if you’ve thought through the best steps to take if it happens.