Mon, Apr 13, 2020

What Key Third-Party Controls Does Your Organization Have in a Disaster?

Download the Article

During any crisis, whether it is a pandemic, war or other massive disaster, one of the immediate priorities is to focus on your organization's internal cyber security. This is because it’s your organization's responsibility to ensure protected information of your employees, clients and others is as secure as possible. This is wise, as we can see in the current situation, as Europol recently announced that cyber threats are “[E]xpected to continue to increase in scope and scale.” You must also take time to consider the cyber security controls of your vendors, suppliers, partners and other third parties, who may have access to protected information, provide a critical service or have access to your network or facilities. 

As soon as possible, you must turn your eyes to those third parties and evaluate how their controls are set up and check if they meet your requirements. There are many controls you should examine to ensure adequate cyber security maturity in your third parties. While all play an essential role, a massive crisis elevates specific controls on priority. These are the ones that are most likely to be tested in the weeks and months to come. When reviewing your third party's controls, we suggest the following should be focus areas:

Business Continuity and Disaster Recovery Planning 

When systems shut down and alternative resources are activated, having a plan for keeping the organization operating (business continuity) and restoring to previous levels of activity quickly (disaster recovery) is critical. Unfortunately, we have found that as many as 36% of organizations do not have a formal business continuity or disaster recovery plan.

Resiliency Requirements

Almost as important as having plans to protect assets, is understanding the needs around what you are trying to protect. Understanding the resilience requirements for your IT assets helps ensure your organization can provide services during a crisis. Yet, we have found that 42% of organizations have not established formal resiliency requirements.

Remote Access 

Whether it is a hurricane, a pandemic or something else, there is a high likelihood that organizations will have employees working from home at some point. To ensure continued operations, most organizations will have to allow some remote access to their networks and databases. While this will keep services running, it also increases the likelihood that malicious attackers will also be able to access the network remotely. While access can be made more secure, 17% of organizations we reviewed either do not allow remote access or do not manage it at all.


When accessing systems remotely, one of the best ways to reduce the effectiveness of malicious actors is to instate more controls on authentication. Many organizations rely on multiple factors of authentication, usually defined as something you know (a password), something you have (a token or an application on a smartphone) or something you are (such as a fingerprint). Unfortunately, we have noted that as many as 39% of organizations only require one factor (usually a password) to access the network, which increases the risk of many different threats. 

Cloud Services Inventory

Most organizations have a good understanding of their IT inventory, such as servers, desktops and laptops. What many organizations struggle with, however, is the growing number of cloud services that their organization may utilize. This can balloon during a disaster and render the existing IT infrastructure useless. These cloud-hosted services, such as storage, customer relationship management tools or communication platforms, become critical during a disaster as teams seek out new resources to get the mission done. Understanding what is "on the cloud" becomes very important when more of the organization is working remotely. We have found this inventory to be an area of significant challenge for as many as 54% have failed to review their list of cloud services formally.

While many other controls require evaluation, the five listed above should help you understand how prepared an organization is for the crisis we are all in. Being ill-prepared is not indicative of a specific cyber threat itself; however, those who are forced to scramble are prone to make mistakes that could lead to a significant data breach.

If you do not know how your third parties are performing against these and related controls, we can help. Duff & Phelps’ CyberClarity360 platform can quickly collect information from multiple targets either internally (e.g., business units, sites and subsidiaries) or externally (e.g., third-party vendors and suppliers) to help organizations understand business continuity risk, disaster recovery planning, cyber risk, etc. In some cases, we can identify critical controls without any interaction with the third parties, making the process of collecting the information quick and painless.  

Please reach out to us at [email protected] to see how we can help in understanding your third parties’ readiness.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Cyber Risk Assessments

Kroll's cyber risk assessments deliver actionable recommendations to improve security, using industry best practices & the best technology available.

Data Protection Officer (DPO) Consultancy Services

Kroll's data privacy team provide DPO consultancy services to help you become and stay compliant with regulatory mandates.

Optimized Third-Party Cyber Risk Management Programs

Manage risk, not spreadsheets. Identify and remediate cybersecurity risks inherent in third-party relationships, helping achieve compliance with regulations such as NYDFS, FARS, GDPR, etc.

Cyber Vulnerability Assessment

Proactively identify vulnerable systems and devices that may be exploited by an attacker or malicious software, often resulting in data loss or breach.