Organizations rely heavily on third parties for products, services and software, in order to conduct day-to-day business operations. With increasing frequency, cyber attackers are taking advantage of this critical relationship between large organizations and vendors, resulting in multiple data breaches in the last few years reported to be directly attributed to a third party. According to a 2016 study from the Ponemon Institute, respondents spend an average of $10 million a year on security incidents resulting just from third parties alone.
Many times, these third party vendors do not have the infrastructure, staffing or knowledge to properly address today’s cybersecurity threats, and yet organizations are still sharing their data and allowing access to their systems, applications, and processes. Sharing data with these vendors is one well-known area of concern, but another major risk factor exists in simply connecting the two networks. Hackers are known to take the path of least resistance – often the less-secure networks of a vendor – to pivot directly into the primary company’s system.
While most businesses recognize this risk, statistics illustrate that most organizations still do not have an effective vendor risk classification program in place. This leads to improper risk assignments due to a few key reasons:
- Small and medium-sized businesses have traditionally been cost-prohibitive to assess (often overlooked)
- Vendor tier levels have typically been associated with the size of the vendor/business, not the risk they bring to the table (misclassification)
- Vendors are not routinely assessed for cybersecurity risk and, when they are, it is often only at the time of onboarding (underassessed)
Join third-party risk and forensics experts from DatumSec, DocuSign, and Stroz Friedberg for a webinar to learn how organizations can effectively and efficiently assess all of their vendors, and what the data tells us about the true nature of cyber risk for small- and medium-sized businesses. Access the webinar recording here.
Vice President, Stroz Friedberg
William Dixon, a Vice President in Stroz Friedberg’s Cyber Resilience Business, is responsible for developing innovative security strategies in order to further clients’ business objectives while addressing the evolving threat landscape. He has more than 15 years of experience as a leader in security risk management, program governance, third party risk management, security operations, and cyber threat assessment.
Vice President, Business Development, DatumSec
Michael Schell, a former US Army active duty veteran and highly experienced cybersecurity executive based in Los Angeles, has multiple years of experience as a former cybersecurity practitioner, consultant and leader. Michael is currently the Vice President of Business Development and Strategy for DatumSec, which focuses on helping organizations manage third-party risk.
Director – Third Party Risk and Brand Protection, DocuSign
Valerie Vizena has nine years of experience in security and risk management and currently leads DocuSign’s Third Party Risk and Brand Protection programs. Prior to DocuSign, Valerie led several risk departments within Visa including their Global Brand Protection Program, Visa Contracted Vendor (Third Party Risk) program, Third Party Service Provider compliance program and the Acquirer and Prepaid Issuer Programs.