Outsourcing cybersecurity services is becoming increasingly difficult because of tightening rules in the cyber insurance industry. That is creating an aggressive new approach to vetting vendors.
The process is becoming more exhaustive, especially in financial services. Service providers are being required to provide far more information about their cyber practices, sometimes with vetting that includes 250 or more data requirements.
Several high-profile cybersecurity incidents in recent years have highlighted the risks that vendors can pose to an organization’s data and systems. Target, Netflix, and Ticketmaster have suffered breaches, and coverage in media has damaged reputations and affected stock prices. Thousands of other incidents have gone unreported.
The potential for data breaches originating with vendors is increasing as organizations rely on them. Vendors have different levels of cybersecurity maturity, making it essential for organizations to assess and monitor their vendors' security practices.
The vendor risk assessment company Upguard is out with five things you need to know about third-party risk.
Jerry Archer, Chief security officer for Sallie Mae, says that the real courtship begins once a vendor has passed the RFI stage. “I need to know their security teams,” Archer says. “I need to know if I can count on them. I need to know their expertise.” When that expertise is lacking, but “the business really wants to do work with a particular vendor,” he adds, “we send some of our subject matter experts to work with their folks to bring them up to a level that we deem appropriate.”
In particular, insurers are also looking at how organizations authenticate third-party privileged users from vendor organizations who need access to sensitive data and company systems. Vendors require the same security, yet they are rarely given the same security consideration as employees. For instance, if a vendor is onboarded for a brief two-week engagement, they should be onboarded and offboarded following the same HR processes as a new employee to minimize risk.
To strengthen your cybersecurity posture and raise awareness about cybersecurity best practices across your organization, Aware Force has the content you need.
Check our Cybersecurity Newsletter page to get to know more or connect with us and in 15 minutes, you'll see why Aware Force has raving fans across North America.