Third Parties: Know the "Who" and the "When"
November 26, 2018

David Pignolet
SecZetta

With the rise of next-generation technologies, businesses have access to more data than ever, creating opportunities to develop new channels for revenue. Contributing to the increase in data is a growing reliance on the external supply chain. However, with the influx of data comes the necessity to understand the entire third-party ecosystem; its benefits and risks.

Some of the most devastating breaches have been attributed to a third party, so it should be no secret that mitigating third-party risks is crucial. Because vigilance is key, organizations must get their entire vendor ecosystem in check to lower the risks that enterprises encounter when granting third-party vendors and non-employees' access to their network and data.

Assess Your Hygiene

According to research from the Ponemon Institute, 50 percent of organizations don't know who has access to their data, how they're using it, or what safeguards are in place to mitigate an incident. This is largely due to the lack of resources to track third parties, the complexity of business requirements and technology, and a breakdown in communication.

Businesses can start by assessing their security hygiene and enacting a multilayered defense strategy that covers the entire enterprise to include lifecycle management capabilities to manage the coming and going of third party, non-employees, as well as encryption and multifactor authentication for all network- and data-access requests from third parties. The business is going to hire non-employees, so organizations need to be prepared to track and manage risk at both the vendor and identity level.

Select Third-Party Providers That Improve Security, Not Jeopardize It

Some third-party vendors only need access to your network whereas others need access to specific data. No matter how much you trust a third-party vendor you must continuously assess the vendor's security standards and technology as well as track who is being granted access from those vendors once approved. Those companies with robust due diligence and third-party governance stand to benefit in many ways.

Do the Regulatory Changes Affect You

With the increasing data laws to include the EU's General Data Protection Regulation (GDPR) and the dozens of individual United States data policies, organizations must rethink their entire compliance process.

Organizations should restrict third-party access to sensitive data, complete an information audit to determine the data flow to third parties, collect only the data that serves a legitimate purpose, and make sure that all major leaders are aligned.

In the event that information has to be shared with third parties, companies should make certain they know who each person is that was granted access, have a way to manage those identities and, more importantly, have a process by which access can be removed in the event of a breach notification.

It's Not One-and-Done

Successfully managing third-party vendors is ongoing practice, not a one-time task. Companies must recognize that assessing the risk of the vendor is just one side of the coin. Once a vendor has been approved, companies need to be able to track and manage the individuals being brought in from those vendors and take action against the non-employee populations.

All businesses have a responsibility — to themselves and their customers — to implement measures that are appropriate to their unique risks and requirements.

David Pignolet is CEO of SecZetta
Share this

Industry News

August 06, 2020

Push Technology announced the launch of a new Kafka Adapter for their Diffusion Intelligent Data Mesh.

August 06, 2020

Appvia announced the launch of its Cost Prediction and Visibility tool, integrated within the latest version of its Kore platform.

August 06, 2020

LogiGear announced the newest addition to the TestArchitect™ family, TestArchitect Gondola.

August 05, 2020

Logz.io announced a partnership with HashiCorp, a provider in multi-cloud infrastructure automation software.

August 05, 2020

Digitate, a software venture of Tata Consultancy Services, announced the release of ignio™ AI.Assurance, an autonomous assurance product that enables enterprises to deliver better software faster, enhancing their business performance.

August 05, 2020

Harness acquired self-service Continuous Integration firm Drone.io, the creator of the open-source project Drone.

August 04, 2020

Aqua Security announced that its Cloud Native Security Platform is available through Red Hat® Marketplace, an open cloud marketplace that makes it easier to discover and access certified software for container-based environments across the hybrid cloud.

August 04, 2020

Threat Stack announced the availability of Threat Stack Container Security Monitoring for AWS Fargate.

August 04, 2020

OpenLogic by Perforce now provides an enterprise-class alternative to Oracle Java by offering OpenJDK distributions backed by OpenLogic support.

August 03, 2020

MuseDev launched on Github Marketplace the Early Access version of its code analysis platform, Muse, to help developers find and fix critical security, performance, and reliability bugs, efficiently, before they reach QA or production.

August 03, 2020

Styra announced Rego Policy Builder for the Styra Declarative Authorization Service (DAS).

August 03, 2020

Felicis Ventures has invested an additional $5M in Sourcegraph, bringing the total raised to over $46M, including a $23M Series B in March 2020 led by Craft Ventures.

July 30, 2020

New Relic delivered strategic updates to New Relic One.

July 30, 2020

IT Revolution announced the DevOps Enterprise Summit Las Vegas 2020 will be going virtual.

July 30, 2020

Adaptavist announced the acquisition of Go2Group, a US technology firm specializing in Agile and DevOps services and cloud solutions for the enterprise.