The first thing you can do is take a hard look at what software you use, who your partners are, and how your data is shared. In our highly connected world this is often a tall order and requires prioritization based on your unique IT environment. Start by identifying and evaluating any data processors, SaaS services, and manufacturers you connect and interact with, focusing on those that directly access your most critical business systems and data.
Next, it’s important to assess the types of resources, security controls, and practices those third parties have in place – answering the question of how they protect your data. Understanding the connection points and security practices of the third parties you work with gives you a better lay of the land and a roadmap for how to build your defenses. Remember, security is a two-way street: If any connected entity is vulnerable, all their connected entities may be vulnerable as well.
In this way, many organizations elect to adopt a zero trust methodology to help defend against third-party risks. Using zero trust, you assume the network is already compromised, and can compartmentalize third parties off with the minimum user network access needed to perform their tasks. These presumptive elements of access management and network segmentation can greatly minimize the impact from a third-party breach and increase your overall cyber resiliency to third-party risks.