Increased Reliance on Third Parties
Organizations rely heavily on third parties for improved profitability, faster time to market, competitive advantage, and decreased costs. Third-party relationships come with multiple risks, including strategic, reputational, regulatory, information security, and financial risks. In the recent Ponemon Institute survey, fifty-six (56%) percent of organizations say they had experienced a data breach stemming from a third-party security failure.
New privacy rules designed to better safeguard the personal data of individuals, that includes 3rd party data breaches, are becoming law around the world. Recent laws include the EU’s GDPR, Singapore’s Personal Data Protection Act (PDPA), Australia’s Notifiable Data Breaches (NDB).
New Canadian legislation just became law on November 1st, 2018. Known as the Personal Information Protection and Electronic Documents Act (or PIPEDA), it requires Canadian companies to alert their customers any time their personal information may have fallen into the wrong hands.
Among the new rules is a requirement that companies must keep accurate data about cybersecurity safeguards for two years following, in case breaches are revealed down the line. The law also calls for “appropriate” digital safeguards at all parts of the business, including dealings with third party contractors. The rules call for penalties— up to $100,000 per violation.
The United States is currently exploring a nationwide data breach mandate. With so many high-profile data breaches in the news, U.S. states are taking steps to tighten up their data breach notification laws. Since June 1, eight U.S. states have either amended or enacted tougher new data breach notification laws. Across the United States, there is growing acceptance of the idea that more steps need to be taken to protect personal information from falling into the wrong hands.
In America, all 50 states (plus the District of Columbia, Guam, Puerto Rico and the Virgin Islands) now have enacted legislation requiring both private and governmental entities to notify individuals of security breaches involving personally identifiable information.
You must not only protect customer data within your IT environment, but also ensure that the processes and practices of your third parties are also compliant with various regulations and requirements.
SecZetta specializes in 3rd Party Identity Risk and Lifecycle Management. Years of experience has shown us that companies are still struggling with addressing the complexity associated with third party, non-employee populations.
There are a number of challenges organizations face including:
- No ownership within the organization for non-employees
- Number of non-employee population types
- Complexity of business requirements
- Lifecycle changes
- Collaboration with partners
- Compliance mandates
According to Gartner, many companies have yet to design IAM programs specifically for third-parties, particularly when it comes to governance, risk and monitoring. SecZetta’s 3rd party identity management suite easily fits into existing IAM and HR programs to help manage 3rd party identities and their associated risks. Our customers find the solution can handle any business requirement needed to effectively manage third party, non-employees including collaboration tools that involve IT Security, lines of business and partners and vendors in the process. The key to a successfully managing third party risk is to have a system purpose built.
With a successful implementation of a 3rd party identity lifecycle solution, you should be able to easily answer a few questions:
- How many 3rd parties are in our environment?
- Who is the sponsor of a particular third party?
- What partner does a particular third party, non-employee work for?
- What is the risk this individual poses to our organization?
- Does this third party still work for said partner, and are they still engaged with us?