Matt Kelly, Editor & CEO of Radical Compliance makes a strong case in this podcast for a need to reassess cyber risk. It is becoming, he says, less of a technical issue and more about how companies interact with others: Employees, contract workers, vendors and customers are all risk points for cyber intrusions.
This calls for organizations to ask some key questions about outside partners:
- Should they have access to the network?
- What access should they have?
- Are they straying where they shouldn’t?
These, he notes, are all questions compliance professionals are likely used to asking about other risk areas.
The solution, he argues, involves training, of course, but it also involves using some of the techniques developed for vetting third parties for anti-corruption risk. Ask the business people: How are they going to use the supplier? Why are we outsourcing this? Why did you select this third party?
Bottom line is that you need to understand what the business purpose is and ensure the relationship is fit for the purpose and properly monitored and audited. It’s also critical to ensure that when a relationship ends, access to systems ends with it.
For existing relationships, make sure there is a clear understanding of who owns it. In some cases, there may no clear owner, which can be a red flag that the vendor probably doesn’t belong on your systems.
Listen in to learn more and hear Matt discuss issues such as how to overcome vendor resistance to audits, understanding when a vendor’s IT security is even better than yours, and the importance of a software bill of materials.