The Identity Blog

Background image

The weak link in your enterprise security lies with third-parties: Including partners and suppliers

Vendor Risk

According to a survey conducted this past fall by the Ponemon Institute, “56 percent of organizations have had a breach that was caused by one of their vendors. Meanwhile, the average number of third parties with access to sensitive information at each organization has increased from 378 to 471. We know that this number is low, as most companies don’t even know who has access when it comes to third parties. Only 35 percent of companies had a list of all the third-parties they were sharing sensitive information with while only 18 percent of companies say they knew if those vendors were, in turn, sharing that information with other suppliers. That’s a problem, because customers don’t care if it was the company’s supplier that lost the data, not the company itself.”

According to the study, if a company evaluates the security and privacy policies of all its suppliers, the likelihood of a breach falls from 66 percent to 46 percent. While this is a great step in the right direction, it ultimately misses the biggest area for improvement. Knowing who the vendors are and how risky they are should be the first step in addressing vendor, partner, and non-employee identities. Onboarding vendors is where the risk begins, and ultimately it ends with a third party identity being breached. Once a breach occurs, it doesn’t matter where the blame falls, customers expect the company that they trusted their data with to resolve the problem and ensure it won’t happen again. Usually the latter costs more than the breach itself. Repairing a damaged brand can cost a company years and millions of dollars.

Regulators are increasingly looking at third-party risks. Last year, New York State financial regulators began requiring financial firms with a presence in New York to ensure that their suppliers’ cyber security protections were up to par.  Third-party breaches are becoming more common, any organization’s security is only as good as its extended network.

On May 25, 2018, Europe will do the same, with its General Data Protection Regulation (GDPR), that applies to all companies that collect personal information from Europeans. GDPR fines are steep — up to 4 percent of total global revenues. GDPR extends your organization’s responsibility for its customers’ PII to the third parties with whom it shares this data. Organizations can have hundreds to thousands of relevant third parties.

Third Party Identity Risk and Lifecycle Management

In other words, if any members of your network of trusted third parties — vendors, partners, contractors, consultants, outsourcers, etc., acts negligently and your customers’ PII is compromised, you’re also liable for penalties and fines.

To put this in context for the Global 2000 (which have revenues between $1.6 Billion and $171.1 Billion according to Forbes), this means fines could potentially amount to between $64 Million and $6.84 Billion!

You must not only protect customer data within your IT environment, but also ensure that the processes and practices of your third parties are also compliant with various regulations and requirements.

SecZetta specializes in 3rd Party Identity Risk Management. According to Gartner, many companies have yet to design IAM programs specifically for third-parties, particularly when it comes to governance, risk and monitoring.

SecZetta’s 3rd party identity management suite easily installs into any IAM system to help manage 3rd party identities and their associated risks.