Keeping a Pulse on All Third-Party Connections

The core tenets of information security is to protect assets from unauthorized disclosure, prevent unauthorized changes, and to make them available as needed. These align with the CIA security triad of Confidentiality, Integrity, and Availability.

Getting a Handle on Asset Management

It’s widely acknowledged in information security that you can protect only what you know needs protecting. In other words, if an organization owns assets that are not documented, there’s a real possibility that they are being inadequately secured. This is why asset management is an area that information security professionals focus on first establishing the foundations of a security program. 

The importance of asset management is also reflected in control frameworks like the National Institute of Standards and Technology (NIST) Cyber Security Framework and Center for Internet Security (CIS) Critical Security Controls. The first two controls that spotlight asset management in the NIST CSF are:

• ID.AM-1: Physical devices and systems within the organization are inventoried
• ID.AM-2: Software platforms and applications within the organization are inventoried

Similarly, the first two controls in the CIS CSC are:

• Inventory and Control of Enterprise Assets
• Inventory and Control of Software Assets

The Problem with Third Parties

While organizations typically have a tight rein over assets in their immediate environment, this is not necessarily true for third parties that they exchange data with. And those are many in number, and often insecure. Per research published by our partner SecurityScorecard, 98% of organizations globally have relationships with at least one breached third party. It’s imperative that an organization knows, with high accuracy, all third parties that it exchanges data with.

Unfortunately, that’s not the case. Recently, we conducted a survey with over 100 executives. We asked them: “How confident is your business that every third-party software vendor that your company exchanges data with is listed in your procurement system correctly?” and provided the participants with four options to select from:

1. 25% of all software/SaaS partners might be listed correctly with the data being exchanged
2. 50% of all software/SaaS partners might be listed correctly with the specific data being exchanged
3. 75% of all software/SaaS partners might be listed correctly with the specific data being exchanged
4. The majority of all software/SaaS partners are listed correctly but the type of data being exchanged is not correctly marked

Here are the results:

The Solution to the Third-Party Data Transfer Visibility Problem

As you can see, most respondents confessed to being less than confident about the completeness and accuracy of their procurement system data. Considering that individual organizations may suffer financial losses, regulatory penalties, and reputational impact if the wrong data is shared with the wrong vendor, or if the vendor suffers a security incident, the above scenario is not at all ideal.

Riscosity offers a solution. By analyzing the organization’s code base for APIs that are used for data transfers as well as the actual data streams themselves, Riscosity can create a complete picture of all data in transit. Additionally, Riscosity offers users to action on such insights by blocking, redirecting, or redacting data transfers if they violate internal policies. By implementing Riscosity’s platform, you can be confident that not only do you have an accurate view of all third-party data transfers, but you also have complete control over them. Ready to get a handle on your assets? We’d love to talk to you - find a time that works for you here.