What do General Electric, DoorDash, and Airbus all have in common? All in the last 12 months have suffered data breaches due to incidents involving third parties.
GE experienced a data breach of employees' personal information through a third-party partner. DoorDash food delivery company suffered a data breach affecting 4.9 million customers. Airbus, the world's second largest aerospace and defense company, has been attacked multiple times by hackers targeting Airbus' third-party suppliers.
Too often the weakest link in your cybersecurity program is your third parties. It doesn’t have to be this way. Read on for our top five strategies for shoring up your company’s third-party cybersecurity defenses.
1. Properly evaluate third parties
Does your company have a detailed process for evaluating third parties prior to signing contracts? The best way to prevent a third-party cyber incident is to ensure your third parties have robust cybersecurity programs.
Learn more: vetting third parties and building a business case for managing them.
2. Assess and audit SLAs
SLA stands for service-level agreements. It’s the typical name given to third-party contracts that outline requirements and deliverables. Periodically assessing and auditing your third parties can help verify they are meeting the obligations set in the SLAs. The idea is also to address issues before incidents occur.
Watch on demand: Third Party Risk: What Your Board Needs to Know
3. Ongoing monitoring and analysis
Third-party intelligence providers offer independent, unbiased inputs on the status of third parties. If a third party is hit by a cyberattack or anything negative in the public domain, third-party intelligence feeds will report back so you can determine if these put operations at risk.
4. Importance of a data directive
A data breach caused by a third party can endanger customer privacy and run afoul of data privacy laws, including GDPR and CCPA. Help protect your customers by working with your third parties to establish how your data is handled. Who owns the data and has access to it? How long will data be retained? What happens to data if you terminate your contract with them? Make sure you document data ownership and management in your third-party contracts.
Train: California Consumer Privacy Act (CCPA)
5. Enlist the right tool
There are three types of toolsets for managing third-party cybersecurity—manual, point and integrated. Manual tools are typical business application software like spreadsheets. Point solutions are designed specifically for cybersecurity or third-party risk management. Integrated platforms not only help users manage cybersecurity, but also integrate third-party data across the organization.
That’s our five strategies for managing third-party cybersecurity. Your company can have the industry’s best cybersecurity program, but if your third parties have underperforming programs, you’re still vulnerable. Just look at GE, DoorDash and Airbus. Follow these five strategies to help strengthen your third-party cyber defense programs.
See how NAVEX One addresses cybersecurity and IT risk –so companies can stay compliant and operate in a digital world.
