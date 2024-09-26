BY Paul Paget3 minute read

Business leaders are well-acquainted with risk—operational, financial, geographic, and regulatory/compliance. Organizations have long adapted their services to manage these challenges effectively. However, as the risk landscape evolves, cyber risk has emerged as a rapidly growing concern.

While there are many examples of cyber risks, the third-party ecosystem remains one of the greatest areas of weakness for most organizations. This year, high-profile incidents, such as the Change Healthcare attack, have highlighted the far-reaching effects felt throughout third-party networks when threat actors target major providers. It’s apparent that this new frontier of risk is becoming a bigger burden to organizations in nearly every industry. Much like other traditional areas of risk, cyber risk requires a measured, preventative approach to minimize negative outcomes. So, what should leaders consider when developing their third-party risk strategies?

THE RISE OF THIRD-PARTY RISK Organizations use third-party vendors to improve workflows, streamline communication, and boost efficiency. However, this also presents an opportunity for more threat actors to target victims. Along with Change Healthcare, other organizations have fallen victim to third-party breaches this year alone, including Home Depot, AT&T, Ticketmaster, and even the Justice Department. These incidents carry significant costs. In addition to compromising sensitive business, customer, and other stakeholder data, they also involve financial expenses. These may include ransom demands from threat actors, lost revenue, or lawsuits from affected parties. Additionally, there is often a reputational cost associated with these attacks, which can take considerable time to rebuild.

Collectively, millions have been impacted by all the breaches to date in 2024, underscoring the critical vulnerabilities businesses face in their extended networks.Security and business leaders have taken note, and plans to prevent and mitigate these risks are now in the spotlight from all stakeholders. FOUR QUESTIONS TO ASK AS YOU BUILD THIRD-PARTY RISK STRATEGIES When developing business risk strategies, you should thoroughly understand your third-party ecosystems and consider several factors. Key questions include:

1. Who are your third-party partners? Knowing who’s in your third-party ecosystem is vital for understanding who handles your sensitive data and where potential risks can come from. Software vendors, service providers, manufacturers, suppliers, and contractors can all pose threats, so it’s critical to know exactly who your organization is dealing with to ensure better security. 2. What do the third-party partners actually do for you?

Once you’ve identified the third-party vendors within your organization, understanding their responsibilities is crucial for effective risk management. Business leaders need to know how external parties store and handle their data so they can address any questions from the board or other stakeholders about potential risks and have contingency plans ready in case of an incident. 3. What information do your vendors have access to? This is important to consider so leaders can better define where the most risk is. Third-party vendors could have access to pieces of information including social security numbers, customer addresses, health data, and financial information, all of which are highly confidential and prime targets for bad actors. It is essential that leadership is informed where their information is going and where they could be vulnerable so they can do a better job managing risk.

4. Have you classified which of your vendors are critical vendors? After identifying your vendors and understanding their roles, classify them by risk level. Since managing dozens to hundreds of third-party vendors can overwhelm already stretched IT teams, it’s crucial to prioritize vendors based on their importance to the business when assessing risk. Vendors handling the most sensitive information, such as software providers with health, financial, or personal customer data, should be the highest priority, and lower-level suppliers can be classified as less critical. THIRD-PARTY RISK IS A TOP PRIORITY