According to a Microsoft survey, more than 40% of workers globally considered quitting their jobs in 2021 as part of the Great Resignation. That number sits at 20% in 2022, according to the World Economic Forum — still a significant and striking number. A recent Deloitte survey reports that 2 in 5 Gen-Zers and nearly one-quarter (24%) of millennials want to leave their current jobs by 2024. Many more are expected to join the crowds in the coming months as they seek higher pay, more flexible working conditions, and new challenges.
All of this has clear consequences for hiring and personnel with the potential to cause security problems. Businesses that previously failed to properly implement security standards have expressed worry about shifting to remote work. Now, companies need to be concerned about whether the firms they partner with have policies in place to ensure that departing employees do not take important information or sensitive files when they leave.
Adopting a zero trust strategy — which establishes trust with third parties as earned, not implied — can help an organization avoid security risks related to the Great Resignation. Third-party risk management (TPRM) programs should standardize zero trust internally and externally.
Challenges organizations face due to the Great Resignation
According to Code42 research, about 71% of surveyed business and cybersecurity leaders are concerned about a lack of visibility into what and how much sensitive data departing employees take with them to other firms. The same percentage (71%) is concerned about sensitive data stored on departing employees’ local devices, personal hard drives and personal cloud storage and services.
These worries are based on real-world examples of cybersecurity threats companies could face.
Contractors, vendors, resellers and technology partners are examples of third-party users who require access to internally hosted resources, not to mention sensitive personal identifiable information (PII) and intellectual property. These individuals can be located across all time zones using a variety of unmanaged devices, adding to the complexity of an enterprise’s network and access control.
TPRM and vendor risk assessments
Companies now interact with hundreds of vendors, each with their own agents and subcontractors. Challenges organizations now face include identifying critical vendors by risk tier and establishing a process for periodic review. In this vast network, third-party risks can appear at any time, making initial and ongoing vendor risk assessments essential.
Vendor risk assessments evaluate potential vendors and suppliers to see whether they meet the organization’s service requirements and risk-tolerance levels before the contract is signed. Throughout the relationship, continuous assessments help determine whether the service meets expectations while pinpointing changes in risk levels. The ultimate goal is to build and maintain a portfolio of low-risk vendors and suppliers — such as landscapers, office-supply providers and other partners that present little to no harm to an organization’s tech infrastructure — that help the organization carry out its objectives.
Many businesses have failed to track vendor risks per internal policies and certifications. They blindly rely on a vendor’s reputation, granting them unearned trust and skimping on assessments. Bad move. Instead, companies should use zero trust security measures to establish frameworks for improved security, reduce third-party risks and ensure compliance.
“Trust, but verify” has been a common edict for TPRM. However, increased third-party cybersecurity incidents have shifted the focus to “never trust, always verify.” Don’t mistakenly assume that third parties have adequate security practices just because they have solid reputations. Evaluate their risk levels with objective risk assessments.
Lastly, it’s likely that many third parties work with other providers. Because cybersecurity leaders at one organization have no visibility into their vendors’ third-party risk, organizations shouldn’t assume trust at any point. Zero trust security measures can help cybersecurity teams ascertain unknown areas of weakness in an organization’s vendor population, providing the organization with better visibility into mitigating these vulnerabilities.
Solving TPRM challenges through automation
It’s not uncommon for enterprises to exchange personal and sensitive information with 500 third parties. Consider how vastly different security can be across hundreds of entities. All it takes to trigger a breach is a security mishap or oversight at one vendor with inadequate security controls. Cybersecurity teams need to verify security at every vendor with whom the organization shares data. Doing so will require formalized processes for evaluating and managing third-party risk.
With an ever-increasing number of data breaches, there’s never been a better time to tune up TPRM processes. Organizations with mature zero trust strategies in place had less costly data breaches than those with no strategies in place — to the tune of $1.76 million on average. It’s no wonder that businesses are putting money into automating their vendor risk management processes.
TPRM automation can help cybersecurity teams manage a growing vendor population with more agility as it speeds up typically onerous processes — onboarding, initial due diligence, and ongoing assessments, among many others.Robust third-party risk management automation would place a company in the best position to succeed in the long term, even with increased employee turnover. Company progress and reputation — and trust with other vendors and partners — can be put at great risk otherwise. By proactively managing risk and fortifying the entire organization, enterprise cybersecurity teams can better guarantee the protection of sensitive information and ward off potential cybersecurity threats.