For the last 20 months or so, we’ve worked with nearly 200 government municipalities on cyber loss control projects, now largely completed. Based on the findings from this effort, we’ve identified those areas where many municipalities are most vulnerable and are excited to share practical tips and actionable insights to increase information security in municipalities. This post—the seventh in our Cyber Security Foundation for Municipal Government series—explores the increasingly hot topic of third-party risk management (TPRM).
What is TPRM?
It’s your plan for identifying and managing the security risks and liabilities that relate to your dealings with third-party vendors, contractors, business partners and even customers.
Why is TPRM so important for municipalities?
Here are some of the biggest reasons:
- A huge percentage (up to 63%) of data breaches are directly attributable to the security vulnerabilities of third-parties.
- A huge percentage of organizations admit they fail to adequately manage third-party risk.
- These three trends inherently increase your third-party risk and attack surface:
- Moving more data to the cloud
- Using online services and Software-as-a-Service (SaaS) more and more frequently.
- Using online platforms, open source libraries, and outsourcing development of custom applications.
When you think about it, third-parties have access to much of your sensitive data. Some of the types of data that may be at greatest risk from mishandling by your vendors include health records, financials, workers compensation and benefits data, parks/recreation data, child/elder care data, court records, credit card processing and (last but not least) your payroll.
What does a TPRM program look like?
Basically, it’s about asking vendors the right questions to ensure they have sufficient controls in place to manage the risks associated with storing, processing and/or moving your data. In short, do they have sufficient security practices to keep your data secured in a manner that is consistent with your expectations, best practices, and relevant/laws/regulations.
Integral to TPRM is ensuring that these security requirements are included in your contracts with the vendors. Take a close look at your current contracts with vendors that access your sensitive data. Does the vendor have a requirement to communicate a breach to you? A change to where they store your data? Sufficient insurance to pay for your Breach Notification obligations if your records are breached?
Where do you begin, and how should you prioritize your efforts?
At the end of the day, many municipalities are challenged to find time and resources to address TPRM.
Pivot Point Security has developed a proven TPRM consulting process that guides clients step-by-step from start to finish through identifying, assessing and managing third-party risk in line with their specific goals and objectives. Contact us to speak with an expert about your vendor relationships and risks.
In our next and final post in this series, we’ll get into patching and other technical controls that are vital for municipalities. Until then… stay tuned and stay safe!
Ongoing Series: Cyber Security Foundation for Municipal Governments
We are overviewing this foundational cyber security guidance for municipalities in a series of blog posts. The full list of topics we will be covering includes:
- Covering the bases
- Password management and access control
- Backup and encryption
- Malware and social engineering attacks
- Cyber security awareness education
- Contingency planning: Incident response, disaster recovery and business continuity
- Vendor risk management (CURRENT POST)
- Patching and other “technical controls” (coming soon)