The Cost of Inadequate Cybersecurity: Why You Can’t Afford to Skimp on Third-Party Risk Management

In today’s digital age, cyber threats are a constant and pervasive danger– third-party risk management has become table stakes to securing your business operations. Without adequate protection, your organization may become a prime target for cybercriminals seeking to exploit vulnerabilities in your systems. Even with limited funds, it is crucial to prioritize cybersecurity measures to safeguard your business and clients’ sensitive information.

Unfortunately, the economy– which experienced two consecutive declines in real GDP during the first two quarters of 2022, with drops of 1.6% and 0.9%– has led to recession concerns, prompting corporations to move towards cost-cutting measures. As a result, many cybersecurity budgets are under scrutiny. Meanwhile, cyber threats have become more sophisticated. Thus, it’s essential to consider how to fund your third-party risk management (TPRM) program effectively amidst leaner budgets and heightened cyber threats.

Understanding the TPRM Budget Challenge

Digital transformation was the primary driver for organizations to adopt more third parties. However, with a more extensive third-party network, organizations face the challenge of increased vulnerability to cyberattacks, ransomware, and phishing, to name a few. Worse, phishing attacks are getting more sophisticated and harder to detect, especially as cybercriminals use degenerative AI tools to correct spelling and grammar errors and create more convincing messages.

Source: Shutterstock

Recent data from the CyberGRX Exchange shows 83% of third parties claim to do security awareness training, but 42% are not testing staff vulnerabilities and the effectiveness of their training. In other words, the gaps in their programs are potentially increasing your risks. Should one of their employees fall for a phishing scam, the bad actor can move laterally into your network, too.

Third-party due diligence is critical in identifying vulnerabilities before bringing on new third parties, renewing existing contracts, or when considering mergers and acquisitions. Additionally, understanding and safeguarding the points where third-party providers interface with your network can help thwart the impact should an incident occur. Amid a challenging economic environment, companies must decide how to fund TPRM programs to mitigate these risks and potential financial losses.

Prioritizing Third-Party Risk Management

As the threats posed by third-party risks increase, many organizations are placing a higher priority on their TPRM programs. Decision-makers, however, must find innovative ways to support TPRM budget requests, despite cost-cutting measures spurred by the economic downturn.

Investments in technology are one way to maximize human resources and add speed and efficiency to the security evaluation process. For example, discovery tools can automate the assessment of third-party risks to quickly identify vulnerabilities, thereby freeing up staff to develop corrective action plans, track progress, and work with third parties to validate their control measures. Besides increased efficiency, organizations benefit from more effective risk management, with decisions driven by data and where the risks lie.

The Charge-Back Model: A Strategy for Diluting TPRM Costs

As organizations bring on more third parties, another way to manage the cost of vendor evaluation is to use a charge-back model. The department requesting a new third party or is primarily using an existing third party is charged back for the internal costs incurred to vet and monitor them over time.

This approach can help to demonstrate the costs associated with TPRM solutions and encourage departments to be more selective about the vendors they bring in for evaluation. By doing so, organizations can ensure that TPRM tools and processes are used more judiciously rather than being treated like an unlimited resource.

Presenting Your TPRM Budget: Aligning With Business Objectives

Just like any other area of the business, cybersecurity budget proposals should be aligned with corporate objectives, as this can significantly impact your program’s success. Rather than using fear tactics to persuade executives to fund a TPRM initiative, linking TPRM to business outcomes and quantifying third-party risks can help secure your cybersecurity investment.

Focus more on themes and reasoning vs. technical details to establish a connection between your TPRM strategies and their monetary value. Speak the language of your stakeholders, whether it’s qualifying the potential financial losses or detailing how faster risk decisions support revenue objectives.

Cybercriminals don’t take a break during challenging economic times. In fact, they know resources may be thin and capitalize on easier targets. Strategically selecting tools, gaining the support of stakeholders, and even sharing the responsibility of paying for your TPRM program across the organization are ways to keep cybersecurity a business priority. For more on the financial considerations of a TPRM program, download the TPRM Budgeting Checklist.