“Cybercriminals are developing and boosting their attacks at an alarming pace, exploiting the fear and uncertainty caused by the unstable social and economic situation created by COVID-19.”- Jürgen Stock, INTERPOL Secretary General
In this two-part series, we discuss the importance of and ways to mitigate third-party cyber risk despite the major adjustments organizations around the world have had to make due to the current business environment.
With the persistence of COVID-19, the impact on global third-party supply chains has only increased, making assessing third-party risk more important than ever.
The needs of organizations have changed, and focus has shifted to remote workforces and business continuity. Prioritization of third parties and their services that play vital roles in the day-to-day operations to help organizations achieve their goals has become even more critical in these uncertain times. Despite this growing need, McKinsey predicts “>70% of CISOs and security buyers believe budgets will shrink by the end of 2020.” (source) Unfortunately, this oftentimes leads to corners being cut, and security processes—both in place and planned—become an afterthought.
Fortunately, there's a straight-forward way for organizations to continue mitigating risks despite these factors. Organizations should begin measuring the Maturity and cyber hygiene of their third parties and establish a baseline. Using bespoke questionnaires, customized spreadsheets and emails is NOT the way to go about it. It’s important to modernize and streamline redundant and inefficient processes that come with shared and static spreadsheets. The need of the hour calls for leveraging frameworks such as NIST (800, CSF, etc.), NERC, GDPR, APP, etc. to measure the data protection policies and standards of third parties. Having a Standards framework will show what adjustments are needed to strengthen the policies and report in a consistent manner to leadership on the baseline and improvements being made.
Standards can help outline procedures designed to reduce risk exposure. Centralizing the assessment of third-party resilience during periods of disruption and heightened risk are major operational advances an organization can take to be resilient.