Third party cyber risk is a growing concern for organizations, as breaches and hacks tied to third party providers and applications multiply. How do you know if your third party cyber risk management program is up to the task? Our new e-book, sponsored by CyberGRX*, will help you figure it out!
Look behind many headline grabbing cyber attacks these days and you find a common culprit: vulnerable third party providers. For example: third party risk is lurking just off stage in the August story about a massive ransomware outbreak at 22 Texas municipalities.
That attack followed from the compromise of a single municipal software provider who served those communities and resulted in the interruption of critical town services.
Or consider the fate of the firms LabCorp and Quest Diagnostics, which in 2019 disclosed massive data breaches affecting 24 million patients. The source of the breach: the American Medical Collection Agency (AMCA), a medical collections firm.
Thousands of third parties – but how to track them?
The growth in third party compromises tracks to the private and public sector’s growing reliance on third parties of all sorts. This includes traditional suppliers, vendors and subcontractors as well as resellers and distributors, business partners and affiliates. Business and technology trends are boosting the reliance on third parties, as well.
The phenomenon that McKinsey calls the “digitization” of industries sees more companies turning to managed service providers (MSPs) and cloud services firms to provide key corporate functions. In just one measure of this phenomenon, the Technology Services Industry Association (TSIA) notes that, for the largest 50 technology firms, services accounted for just 41% of total revenues in 2008 ($318b), but jumped to 55% ($456b) in 2018, while product revenues have declined.
Rethink your Third Party Cyber Risk Management
Despite the increase in exposure, third-party cyber risk management practices vary greatly across companies and industries. Even in the financial services and insurance industries, one survey found that two-thirds of third-party cyber risk management programs are immature: lacking a solid grasp of inherent risk and well-defined risk appetites, according to a study by the Center for Financial Professionals.
In other industries such as healthcare, oil and gas or the public sector, recognition is just dawning of the need for a distinct third party risk management function. Third party risk management and third-party cyber risk management practices in these industries are far less common.
That’s why Security Ledger teamed up with CyberGRX to put together a kind of “buyer’s guide” for third party cyber risk management services. The product of that, Rethinking Third Party Cyber Risk Management is now available for download.
Advice from risk professionals
We spoke with risk professionals at leading firms in industries like financial services, pharmaceuticals and healthcare about their third party cyber risk management strategies. We wanted to find out what features distinguish a mature cyber risk management practice from an immature one and how IT – and risk professionals can improve their own third party cyber risk management practices.
Regardless of your industry and whether third-party cyber risk management practices are new or well established at your firm, you want to make sure that those practices are effective, timely and actionable. You want to move your third-party cyber risk management practices along, down a maturity curve from cursory to comprehensive; from periodic to continuous and from informational to actionable.
We encourage you to download this guide. After reading it, you will better understand how you can ensure that your current third-party cyber risk management practices will translate into lower third-party cyber risk and understand where your company’s practice sits on the third-party cyber risk management ‘maturity curve.’
As always, we welcome your feedback and suggestions on how to make this guide and others like it better!
(*) Disclosure: This report was sponsored CyberGRX for more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.
As always, you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloud, Stitcher, Radio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted.