Bookmark and Share

Securing What You Share: Improving Your Third-Party Security

The group started out by noting that even though third-party business is something companies have been managing for many years, each organization is at varying levels of maturity regarding the process and security of the relationship. This really begins with how an organization handles supplier risk as a whole, and how secure the third-party itself may be. The more you know about how your third party handles risk and secures their information, the better it is for your relationship and your organization’s safety. Ensure that communication is clear and regulations are clearly outlined in your contracts. Security teams must also assess company partners for risk prevention, mitigation, governance compliance, and any other aspect that they would assess their own team for. The third party must be aware of what level of security the team expects; what the defined maximum level of risk is; how often the team will conduct an assessment of their processes; and anything else that keeps data and information secure between the organization and the third party. Furthermore, regardless of how much an organization may need what a vendor supplies, if they present too much risk or do not protect their assets securely enough, the group agreed that teams must put remain firm in their stance—either the third party steps up, or the organization will part ways and seek out another supplier. The other important aspect of this group’s discussion was third-party breaches and how companies handle such an issue. Having a response process already in place in case a breach happens is the first step to efficiently mitigating the problem; the second step is letting your third-party providers know in advance what your expectations and processes are in the event of a breach. Many times, companies will only give a provider vague generalizations about what to do in the event of a breach, which can quickly lead to the issue getting out of control. Security teams must work to examine what they have laid out and amend them as necessary—as breaches become more frequent, detailed expectations become more important. There is no guaranteed method to prevent breaches completely, especially when a business is working with one or multiple third parties, but clearly defined boundaries can help mitigate the issue significantly should it occur.