Are You Prepared to Deal with Third Party Threats? Ask Yourself These Questions.

Cyber-attacks via third parties pose a serious challenge for all organizations. These are the costliest of all cybersecurity breaches and can cost companies millions in terms of revenue, risk, and remediation. These attacks are being exploited at alarming rates. Are you prepared to deal with these threats? Ask yourself these questions:

  • Do you have a complete inventory of your vendors and what they do for you?
  • Do you know which vendors have access to your network? Are they segregated from your other networks?
  • Do you know where your vendor stores your data?
  • Do you have data breach notification requirements with your vendors?
  • How often are backups of your data made? Are they immutable?
  • How often are restores tested?
  • Is your incident response plan documented and tested?
  • Do you assess and monitor your vendors for good information security practices?
  • Do you have contractual protections in place?

Companies fail to create Third-Party Risk Management (TPRM) programs—or implement them properly—even as data breaches increase in quantity and severity. Especially in less regulated industries, many organizations do not have mature TPRM programs. Even larger companies struggle with the volume and complexity of thousands of third-party vendors.

The absence of mature TPRM programs does not result from a lack of available best practices. Plenty of resources exist that cover:

  • Assessing risk (inventorying and evaluating vendors).
  • Managing risk (creating processes, procedures, policies, contracts, and SLAs).
  • Working with third-party vendors (due diligence, continuous assessments, communication, collaboration).
  • Independently assessing risk with external frameworks (NIST 800-53, ISO 27001/2, Shared Assessments Program, Cloud Security Alliance Cloud Controls Matrix).
  • Planning for worst-case scenarios (incident response, data breach notification, alternate options in case something bad happens to a vendor).

Reiterating these same best practices will not address the obstacles preventing organizations from maturing their TPRM programs. Action is needed as we see every day in the mainstream media. Want to make sure you are prepared? Want to learn more, visit or contact us for a free consultation today.