Published

5 Tips for Managing Third-Party Cybersecurity

What do General Electric, DoorDash, and Airbus all have in common? All in the last 12 months have suffered data breaches due to incidents involving third parties.  

GE experienced a data breach of employees' personal information through a third-party partner. DoorDash food delivery company suffered a data breach affecting 4.9 million customers. Airbus, the world's second largest aerospace and defense company, has been attacked multiple times by hackers targeting Airbus' third-party suppliers.   

Too often the weakest link in your cybersecurity program is your third parties. It doesn’t have to be this way. Read on for our top five strategies for shoring up your company’s third-party cybersecurity defenses.

1. Properly evaluate third parties 

Does your company have a detailed process for evaluating third parties prior to signing contracts? The best way to prevent a third-party cyber incident is to ensure your third parties have robust cybersecurity programs.  

Learn more: vetting third parties and building a business case for managing them. 

2. Assess and audit SLAs 

SLA stands for service-level agreements. It’s the typical name given to third-party contracts that outline requirements and deliverables. Periodically assessing and auditing your third parties can help verify they are meeting the obligations set in the SLAs. The idea is also to address issues before incidents occur. 

Watch on demand: Third Party Risk: What Your Board Needs to Know 

3. Ongoing monitoring and analysis 

Third-party intelligence providers offer independent, unbiased inputs on the status of third parties. If a third party is hit by a cyberattack or anything negative in the public domain, third-party intelligence feeds will report back so you can determine if these put operations at risk.  

4. Importance of a data directive 

A data breach caused by a third party can endanger customer privacy and run afoul of data privacy laws, including GDPR and CCPA. Help protect your customers by working with your third parties to establish how your data is handled. Who owns the data and has access to it? How long will data be retained? What happens to data if you terminate your contract with them? Make sure you document data ownership and management in your third-party contracts. 

Train: California Consumer Privacy Act (CCPA) 

5. Enlist the right tool 

There are three types of toolsets for managing third-party cybersecurity—manual, point and integrated. Manual tools are typical business application software like spreadsheets. Point solutions are designed specifically for cybersecurity or third-party risk management. Integrated platforms not only help users manage cybersecurity, but also integrate third-party data across the organization.  

That’s our five strategies for managing third-party cybersecurity. Your company can have the industry’s best cybersecurity program, but if your third parties have underperforming programs, you’re still vulnerable. Just look at GE, DoorDash and Airbus. Follow these five strategies to help strengthen your third-party cyber defense programs. 

See how NAVEX One addresses cybersecurity and IT risk –so companies can stay compliant and operate in a digital world.  

 


Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.


Global Privacy Regulations: Hot Spots to Watch in 2021

The New Urgency for ESG Risk Management

Effectively meeting environmental, social, and governance expectations requires a unique blend of compliance and risk management. One without the other won’t do much. Learn about the growing urgency to evolve ESG management practices and the right tools to effectively meet expectations. 

Previous/Next Article Chevron Icon of a previous/next arrow. Previous Post

It’s Not Whether You Win or Lose but How You Steal the Game

The Houston Astros’ reputation is benched for the foreseeable future. The real story, however, for ethics and compliance professionals is how severe the sign-stealing scheme became compared to how acceptable it was when it started. Let's discuss. 

Next Post Previous/Next Article Chevron Icon of a previous/next arrow.

Subscribe Now!
Most Recent
EU Conflict Minerals Regulation: What You Need to Know
EU Conflict Minerals Regulation: What You Need to Know
A New Age of Accountability: Global Whistleblowing on the Rise
A New Age of Accountability: Global Whistleblowing on the Rise
ESG Reporting: Where to Start
ESG Reporting: Where to Start
Risk Management & IT Security in the Work from Home Era
Risk Management & IT Security in the Work From Home Era
The Post-COVID-19 Workplace: What Employers Should Expect
The Post-COVID-19 Workplace: What Employers Should Expect
Cyber Security Awareness Kit to Educate Workforce
Download Toolkit