With cybersecurity a growing priority among the business community, more companies are taking important steps to better understand their own security risks. However, many fail to understand the risks presented by third parties.
In fact, a large proportion of security incidents experienced by businesses are a result of third-party relationships – which is why third-party risk management (commonly known in the industry as TPRM) should be a fundamental part of any comprehensive cybersecurity risk management program.
In order to properly address risks, businesses must first identify and understand risks before leveraging relevant information and assessments to inform decision-making. The U.S. Chamber of Commerce and FICO recently released their Q2 Assessment of Business Cyber Risk (ABC) report, which highlights the need for effective TPRM so that businesses can better manage the risks of third parties and avoid unwarranted risks and potential costs associated with third-party cyber breaches.
The risks a company “inherits” from its third parties can be significant. In some cases, companies have suffered a breach when hackers successfully penetrated third parties and then used those stolen credentials to access sensitive customer data.
There’s ample data to support the need for greater focus on TPRM. More than 60% of U.S. chief information security officers (CISOs) indicated their firm was the victim of a third-party cybersecurity breach, according to Ponemon Institute’s 2018 report. The survey also found that 75% of firms believed their risk of third-party incidents is increasing.
It is imperative that businesses understand their own cyber risk, as well as that of third parties. Accurately and efficiently assessing third-party cybersecurity risk has become a critical priority for many firms. As such, the U.S. Chamber’s newly released Q2 ABC report includes cybersecurity expert and case study findings on TPRM, as well as key steps businesses can take to identify and mitigate third-party risk.
Learn more about TPRM and other cybersecurity-related issues here