Cybersecurity Tip of The Day #11

Negotiate and build in third-party accountability during the contracting phase of procurement - not just during assessments

Third-party risk has become a focal point for most information security programs around the globe. In fact, recent studies have shown that nearly 60% of data breaches are caused by a third-party vendor.

To combat this growing issue, many programs have implemented an analysis process, which includes a series of questionnaires, survey's, scans, and more before making a recommendation to the business regarding the level of safety each vendor demonstrates. These are all good practices, but there's one major issue - these assessments are a point in time analysis of a companies security posture. A single month of missed patches or one version of bad code can flip a companies "score" upside-down.

This is why it's important to build several expectations and requirements into the contract up front. Make sure your vendors are being held completely accountable for maintaining an appropriate level of security, notifying you within a reasonable amount of time, and continuously sending updates on the status of their own security program - good or bad.

#thirdpartyrisk #assessment #vulnerability