It’s challenging enough to keep your own business secure. But when you also have hundreds of third-party suppliers, how can you make sure you aren’t vulnerable to attack? Joining us today is Dov Goldman, the Director of Risk and Compliance at Panorays, and on this episode, we’re talking about cybersecurity, and the strategies and measures you can put in place to keep you safe.
Panorays automates your third-party security management. It enables you to easily view and manage the security posture of your third parties — including vendors, suppliers, business partners, agents, and other forms of intermediaries — who form an ecosystem around your company that represents you. You can continuously monitor your ecosystem, and at the same time, ensure compliance with regulations.
The New York Department of Financial Services
The NYDFS is focused on consumer protection. They regulate many thousands of financial services organizations, and they’re mandating that you do certain things to protect your consumers (for example, their confidential information) and your IT operations (for example, from hacking and other technology-driven threats).
It’s the first regulation that Dov can remember, at least in the United States, that tells you the big picture, and in some areas, specifically how to build and manage an information security and privacy program. It’s relatively new and groundbreaking, illuminating the path for many organizations.
Regulations re: third-party risk management program
You need to manage your own cybersecurity in a certain way so you can manage the cyber risk associated with your third party service providers and outsourcers. The current regulations define a series of principles to follow: from identifying and risk assessing your third party providers, to having a set minimum cybersecurity standard for your suppliers, to having due diligence process that you apply to your subcontractors, including a periodic assessment based on risk.
An added layer of complexity
If you have a set of security standards for your business, and you have third parties doing critical work for you, you would want those same standards applied to them. For all intents and purposes, they are part of your ecosystem and organization, or your “attack surface.”
The complexity comes in because while you are able to do certain things within your organization to meet your security needs, you don’t have that kind of control with a third party. You need to implement third-party assessment and risk management programs, and then negotiate with the other parties to remediate any deficiencies to meet your standards. This also needs to be done at scale, because if you have 400 service providers, this doesn’t just mean you have to look at policies and procedures 400 times, you will have to look at them 400 times every year to keep everything secure.
The Hacker’s View
At Panorays, they have what they call a 360-degree view that maps out a client’s digital assets via a smart questionnaire and through scanning your third parties. They’re finding everything you own in cyberspace, and then testing them for 10,000 (and growing!) ways hackers can penetrate your attack surface. The goal is to look for vulnerabilities across your entire ecosystem so you can remedy them immediately. After this, they scan constantly and show alerts when there’s a problem, so you can respond in real time and make sure you’re covered at all points.