By Fred Kneip, CyberGRX
Business
expansion and growth are standard signs of a healthy economy, however such
rapid advancement often goes hand in hand with company outsourcing — one of the
major entry points that leave retailers vulnerable to data compromise. As brands
outsource tasks and services to support their growth, they also share and
exchange data with third-party vendors. This exchange of information expands the
company’s attack surface, ultimately increasing their cyber risk. The security of your
organization and data is now dependent on the security of your third parties. As a result, it is
critical for retailers to proactively monitor their third-party ecosystem and work
with vendors to identify and mitigate critical control gaps that could put the
organization and its intellectual property at risk.
Target,
Macy’s, Adidas and so many more know this to be true, all having suffered
high-profile third-party data breaches in recent memory. The breach that affected
Target occurred because the retailer was compromised through an HVAC vendor.
Other retailers around the world have inadvertently exposed customers’ payment
information because of exploited point-of-sale software. These are real attacks
with real consequences that could have been prevented with a more proactive
approach to third-party risk management. With Kaspersky’s recent assessment
that the average cost of an enterprise breach is $1.23M, retailers can no longer
ignore the need to better protect themselves from third-party cyber risk.
In order to protect their businesses and
customers, retailers should maintain ongoing visibility into their ecosystem,
so they can quickly identify, reduce and mitigate third-party risk. Below are a
few steps that retailers can take to manage third-party cyber risk:
Advertisement
1. Proactively Plan & Prioritize: Identify the vendors in your digital ecosystem
and evaluate them based on the level of data shared to determine the potential
impact to your business in the event of a breach. From there, you will be able
to prioritize your third parties based on the risk they expose you and your
other vendors-by-proxy to, and carry out the appropriate level of due diligence
necessary to onboard these vendors into your network with confidence.
2. Consistently Assess and Monitor Third
Parties: Don’t
fall into the compliance checklist trap. It is not enough to assume that
checking the boxes once a year is satisfactory proof that a company is consistently
making well-informed decisions about its security posture. Instead, facilitate
ongoing continuous risk assessments that go further than a simple scan and
actually evaluate the security practices and controls of your third parties. Leverage
dynamic data and analytics in place of static assessments to ensure you have an
up-to-date view of your third parties and ecosystem. This will arm you with the
insight to make informed decisions about any control gaps.
3. Employ a Scalable Approach : As your organization continues
to expand and outsource, your processes for onboarding your third parties will
also need to scale. Move beyond static and manual processes to leverage dynamic
exchange and utility models that will grow with your evolving ecosystem and
needs.
4. Collaborate: We become more integrated and
connected as our ecosystems evolve. To be truly effective at mitigating and
reducing risk, we need to work together — with our third parties and with each
other — and approach this as a community of like-minded organizations dedicated
to creating secure ecosystems.
If history
plans to repeat itself, we could be days or even minutes away from the next
massive retail breach. However, by implementing a collaborative and proactive
approach, brands of all sizes can effectively manage a third-party risk
strategy that will evolve as they grow.
As CEO of CyberGRX, Fred Kneip is responsible
for the overall company direction. Prior to joining the company, he served in
several senior management roles at Bridgewater Associates, including Head of
Compliance and Head of Security. Before that, Kneip was an Associate Principal
at McKinsey & Co., where he led the company’s Corporate Finance practice. Kneip
has also worked as an investor with two later-stage private equity investment
firms, and he holds a B.S.E from Princeton University and an M.B.A. from
Columbia Business School.