Businesses must pay greater attention to third-party risk

Roles and responsibilities must be agreed on now to avoid blindspots and recriminations

Third-party relationships can pose a significant security challenge for businesses, with a clear delineation of responsibility needed to help avoid pitfalls, IT Pro has been told.

Speaking at EMC World 2016, Rob Sadowski, director of market insight at RSA, told IT Pro that while the supply chain has always been a potential vector of attack for businesses, the number of connected devices in use in any organisation is making it more complex to deal with.

"I think that fortunately this is an area where people are starting to at least recognise that this is a challenge, so it's not that they are completely blind to this idea. But, how do they really wrap their heads around it?" said Sadowski. "What third party relationships do they have? Just cataloguing that is a tremendous challenge."

Even once the number and nature of each third party relationship is established, however, there can still be confusion over who is responsible for certain areas. Indeed, this is something that could go unnoticed for years until one party suffers a breach and each believes it was the other's responsibility to ensure it didn't happen.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"I think that's often the most challenging part - who are the third parties I work with, what are they supposed to be doing, and are they actually doing it?" said Sadowski.

"It becomes a very difficult task and one that, especially as things get more reliant on service providers, really requires a bit of automation and a good process, because third-party risk is really growing significantly as part of the organisation's overall risk profile," he said.

Help is at hand, however, and this issue is being increasingly recognised by standards bodies, which are beginning to incorporate it into their guidelines.

"I think you see in some of the more progressive standards that are out there," said Sadowski. "Take, for example, the PCI Data Security Standard -- in the most recent revisions of the standard, there haven't been a lot of changes to core control objectives and things like that.

"Where some of the evolution has been is in how covered organisations deal with third parties [such as] clearly asking them ... [to] define who is responsible for what requirement and get acknowledgement from them that they are responsible."

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/operating-systems/microsoft-windows/354526/memes-and-viking-funerals-the-internet-reacts-to-the
Microsoft Windows

Memes and Viking funerals: The internet reacts to the death of Windows 7

14 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020