Throughout the beginning of December, a major web service and retail provider (that now controls 33% of the cloud infrastructure market) experienced an outage that hampered operations across its business and third parties in the peak of the holiday purchasing season, postponing gift and food deliveries across the whole of the United States and taking down web services for major companies using the platform. National news coverage outlined a number of ways that the outages had an effect on businesses, however, the main cybersecurity implication focuses on the impact that a third-party web hosting outage can have on your business resilience strategy and security posture.
So, what can you do to stand up a business resiliency plan that reduces the impact a third-party disruption could have on your business?
What is Business Resilience and How Does it Relate to Third-Party Risk Management?
Business resiliency, also referred to as business continuity, is the ability of an organization to react to, and continue efficient and secure operation through an incident of any size. The impact that a major web service outage can have on both your organization and your third parties is significant, even if you don’t directly use the service experiencing the outage. Some of the ways you can be impacted are:
- Internal outages and lapses in operational capabilities
- External outages affecting areas across the supply chain
- Vendor outages opening your organization to supply chain vulnerabilities
- Operational shifts that affect data gathering, storage, and security
- Vendor data security is being impacted, leaving your company’s data at risk
Implementing a business resiliency plan that enables your organization to switch web hosting providers quickly or turn on a backup to keep applications online, filling any gaps in service and ensuring critical protective systems continue to do their jobs. Business resilience that takes third-party implications into account and is key in standing up a solution that holistically addresses the security concerns that come with potential outages.
Create a TPRM-Informed Business Resilience Strategy
When treating third-party risk management (TPRM) as a key consideration of your organization’s business resilience strategy, do the following:
- Conduct and maintain business impact assessments (BIAs): This will allow your organization to understand the risk associated with a vendor in the event that it is compromised.
- Develop situational questionnaires: In the face of an unexpected crisis (health crises, natural disasters, geopolitical conflicts), it’s important to understand exactly how your vendors are responding to prepare to any incidents that might stem from the crisis. This will provide visibility into what your vendors are anticipating and give you an opportunity to understand their own continuity plan.
- Include resilience plans in vendor contracts: It’s critical to your organization’s resiliency plan that each vendor contract includes a list of business resilience requirements that can be referenced if your vendor faces a crisis.
- Tier vendors and evaluate risk tolerance: Identify and tier your vendors by risk level, referencing your organization’s overall appetite and tolerance. This requires you to understand your internal vulnerabilities, external vulnerabilities and encourages you to assess risk across domains, including IT and operational risk.
How Can OneTrust Help with TPRM and Business Resiliency?
The OneTrust platform leverages expertise in GRC, specializing in Third-Party Risk Management, Privacy, Incident Management and many other categories to deliver an immersive security and privacy management experience. Reduce your vendor, supplier, and third-party risks with OneTrust Vendorpedia™ Third-Party Risk Management Software and Exchange Community. The software allows you to gain visibility into your vendor ecosystem through streamlining the onboarding and questionnaire processes, allowing you to access and organize vendor information in a way that empowers your business to create a TPRM informed business resilience strategy. The software enables your organization to reduce business resiliency risks, assess vendors business resilience plans, and increase transparent information sharing and collaboration across your third parties with the Vendorpedia exchange community.
Further cybersecurity reading:
- Blog: Managing Third Parties: Improving Business Resilience
- Blog: Trust Talks: Actioning Trust-Based Cybersecurity from Individual to Enterprise
- Blog: Put a Hold on Hacks: Fight the Phish and Other Common and Emerging Cyberthreats
- Blog: Educate, Empower, Enable: The Importance of Cybercentric Education
Next steps on cybersecurity: