To better manage cybersecurity risk, extend zero-trust principles to third parties – TechCrunch

Saket Modi is the co-founder and CEO of Safe Security, a cyber security platform and digital platform for quantifying business risk.

Today’s cybersecurity landscape requires an agile, data-driven risk management strategy to deal with growing attacks from third parties.

When a company engages services by sharing data and accessing the network, it inherits cyber risk from its suppliers through their people, processes, technology, and third party suppliers. A typical company works with an average of almost 5,900 third parties, which means that companies face a large amount of risk, no matter how well they cover their bases.

For example, 81 individual third-party incidents led to more than 200 publicly reported violations and thousands of violations with a ripple effect during 2021, according to a Black Kite report.

The current external approach to third party risk management is inadequate. Instead, the industry needs to move towards a new approach to third party risk management by initiating discussions outside of external assessments. In particular, companies should establish zero-trust principles for all suppliers, assess risk through external and internal resources with inside-out assessments, and measure cyber risk in real time.

The principle of zero trust “Never believe, always verify” is widely accepted for the management of the internal environment, and organizations should extend this concept to third party risk management.

To combat this, companies must view suppliers as subsets of their business.

A threat looming

The amount of data and business critical information that a company shares with its suppliers is staggering. For example, a company may share intellectual property with manufacturing partners, store personal health information (PHI) on cloud servers to share it with insurers, and allow marketing agencies to access customer data and personal data (PII).

This is just the tip of the iceberg, and most companies often don’t know how big an iceberg is. In a survey conducted by the Ponemon Institute, 51% of companies surveyed said they do not assess third party cyber risk before allowing them access to confidential information. Moreover, 63% of companies surveyed said they have no insight into what data and system configurations vendors can access, why they have access to it, who has permissions, and how data is stored and shared.

This vast network of companies that share real-time information results in a vast area of ​​attack that is becoming increasingly difficult to manage. To overcome this challenge, companies use cybersecurity initiatives, such as questionnaire-based surveys and security rating services, in their third-party risk management strategies.

Although these tools have certain uses, they also have serious limitations.

Cybersecurity assessment services are a fast and cost-effective approach to third-party risk assessment. Their simplicity – which poses cyber risk to suppliers as a result, such as credit ratings in financial services – makes them a popular choice, despite its limitations.