A Guide For Retailers Seeking To Effectively Manage Third-Party Risk
By Fred Kneip, CyberGRX
Business expansion and growth are standard signs of a healthy economy, however such rapid advancement often goes hand in hand with company outsourcing — one of the major entry points that leave retailers vulnerable to data compromise. As brands outsource tasks and services to support their growth, they also share and exchange data with third-party vendors. This exchange of information expands the company’s attack surface, ultimately increasing their cyber risk. The security of your organization and data is now dependent on the security of your third parties. As a result, it is critical for retailers to proactively monitor their third-party ecosystem and work with vendors to identify and mitigate critical control gaps that could put the organization and its intellectual property at risk.
Target, Macy’s, Adidas and so many more know this to be true, all having suffered high-profile third-party data breaches in recent memory. The breach that affected Target occurred because the retailer was compromised through an HVAC vendor. Other retailers around the world have inadvertently exposed customers’ payment information because of exploited point-of-sale software. These are real attacks with real consequences that could have been prevented with a more proactive approach to third-party risk management. With Kaspersky’s recent assessment that the average cost of an enterprise breach is $1.23M, retailers can no longer ignore the need to better protect themselves from third-party cyber risk.
In order to protect their businesses and customers, retailers should maintain ongoing visibility into their ecosystem, so they can quickly identify, reduce and mitigate third-party risk. Below are a few steps that retailers can take to manage third-party cyber risk:
1. Proactively Plan & Prioritize: Identify the vendors in your digital ecosystem and evaluate them based on the level of data shared to determine the potential impact to your business in the event of a breach. From there, you will be able to prioritize your third parties based on the risk they expose you and your other vendors-by-proxy to, and carry out the appropriate level of due diligence necessary to onboard these vendors into your network with confidence.
2. Consistently Assess and Monitor Third Parties: Don’t fall into the compliance checklist trap. It is not enough to assume that checking the boxes once a year is satisfactory proof that a company is consistently making well-informed decisions about its security posture. Instead, facilitate ongoing continuous risk assessments that go further than a simple scan and actually evaluate the security practices and controls of your third parties. Leverage dynamic data and analytics in place of static assessments to ensure you have an up-to-date view of your third parties and ecosystem. This will arm you with the insight to make informed decisions about any control gaps.
3. Employ a Scalable Approach : As your organization continues to expand and outsource, your processes for onboarding your third parties will also need to scale. Move beyond static and manual processes to leverage dynamic exchange and utility models that will grow with your evolving ecosystem and needs.
4. Collaborate: We become more integrated and connected as our ecosystems evolve. To be truly effective at mitigating and reducing risk, we need to work together — with our third parties and with each other — and approach this as a community of like-minded organizations dedicated to creating secure ecosystems.
If history plans to repeat itself, we could be days or even minutes away from the next massive retail breach. However, by implementing a collaborative and proactive approach, brands of all sizes can effectively manage a third-party risk strategy that will evolve as they grow.
As CEO of CyberGRX, Fred Kneip is responsible for the overall company direction. Prior to joining the company, he served in several senior management roles at Bridgewater Associates, including Head of Compliance and Head of Security. Before that, Kneip was an Associate Principal at McKinsey & Co., where he led the company’s Corporate Finance practice. Kneip has also worked as an investor with two later-stage private equity investment firms, and he holds a B.S.E from Princeton University and an M.B.A. from Columbia Business School.