Because there are so many different kinds of third parties, identifying whether they do or don’t have the right infrastructure or security protocols can be a challenge. Moreover, doing the proper due diligence needed to vet third-party vendors can be costly and time consuming.
As so many organizations rely on a variety of different providers, third parties can become the gateways to the network. In order to mitigate the risk of a breach from a third party, enterprises need to design a vetting process and understand the language of the service-level agreemen in order to best evaluate their contracts.
Yong-Gon Chon, CEO of Cyber Risk Management said, “There isn’t a single cloud service provider that offers SLA for security. Uptime, visibility, yes, but there is no equivalent for security. Most say we have this amount of response time for this kind of data breach, or we will notify you in this amount of time if we find this kind of vulnerability.”
The issue, said Chon, is that security is invisible. “It only becomes tangible when things go wrong.” If enterprises know what they stand to lose when things go wrong, they can make security more tangible before it becomes an issue.
“They need to have a handle around what their most valued data assets are within their business,” said Chon.
Asking questions like, ‘What would happen if that information were breached, stolen, or ransomed out of the organization? What do users have access to? and What can they copy or delete?‘ will give enterprises a clear understanding of how that information flows inside and outside of the organization. “They need a road map to say this is what we should and should not trust with our third parties,” said Chon.
When many organizations are looking to move out to the cloud, there isn’t a full appreciation for what the provider will give them up to and including what security they are providing. Chon said, “They need to understand to whom they are providing access, and they need to be aware of the rules and regulations that govern that.”