Modern businesses must be agile, flexible and innovative. Business leaders are always looking for the next opportunity and speed is of the essence. Whether they\u2019re looking to scale up quickly for a new project, or seeking to harness the benefits of the latest and greatest technology, it\u2019s often necessary to go beyond company walls and sign up with a vendor for new software or services.You may have spent considerable resources to ensure that your security is strong, but what about your third-party vendors? We\u2019ve discussed how cybersecurity is only as strong the weakest link before, but sometimes that weak link is a partner.If you\u2019re sharing precious data with a third-party, then you had better be sure that it\u2019s being protected properly in accordance with your own security protocols. As we noted before in an article that received a ton of attention, the cost of a data breach is potentially very high.Risk is growingLast year was a record year for data breaches and the finger is being firmly pointed at third-parties. With 63 percent of all data breaches linked directly or indirectly to third-party access, according to a Soha report, this is clearly an issue you can\u2019t afford to ignore. And yet, many companies are not taking the steps they should be to secure their data.The number of cybersecurity incidents involving vendors is increasing, according to 73 percent of respondents to a Ponemon Institute survey, but 58 percent admit that they are not able to determine if vendors\u2019 safeguards and security policies are sufficient to prevent a data breach. Problems highlighted by the survey include a lack of accountability, a lack of clarity about who is responsible, and a lack of visibility into vendor practices.In a CSO story about New York State\u2019s new sweeping cybersecurity regulations, Brad Keller, senior director of third party strategy at Prevalent, a provider of third party risk management solutions, said, \u201cIf I\u2019m a hacker, it\u2019s reasonable for me to expect that it will be harder to break into a top-five financial institution, than into a medium-sized company that provides services to financial institutions. And if I get into a vendor that provides access to twelve banks, then I get access to twelve banks\u2019 data as opposed to one.\u201dIt\u2019s good to see New York State taking action to regulate and force financial firms to take extra cautionary steps to ensure third parties they do business with are protecting personal data properly, but it shouldn\u2019t require legislation. Companies should be taking third-party risk management a lot more seriously.Do you know where your data is?For effective third-party risk management, you must start with a clear understanding of exactly where your data resides, which vendors have access to what, and what security measures are in place to safeguard it. How tight your internal control is, becomes irrelevant if you don\u2019t know what happens to your data downstream.Map out your data and track its journey both internally and externally. You need to do a proper risk assessment and identify potential weak spots. Pay close attention to the location of partner data centers and examine whether they subcontract to other vendors. At the end of this exercise you should have the complete big picture of where your data is and who has access.Formulate a strategyStart by making it crystal clear who oversees vendor management and empower them to drive your new strategy forward. The likelihood is that you\u2019ll need to include people from different departments, so make sure there\u2019s no buck-passing option. Your vendor management team can begin with a critical look at your current data map to see if access can be reduced, and the resulting risk curtailed.It\u2019s also vital to take a closer look at your vendor agreements and contracts \u2013 what happens if a data breach does occur? You should have provision in the contract to financially punish non-compliance and compel your vendors to prove that they\u2019re protecting your data. You\u2019ll need your legal and compliance departments to be heavily involved here. The right service-level agreements will include provision for data breaches and should protect your company, not just from downtime, but also from legal liability.Assess, remediate\u00a0and reviewYou cannot, under any circumstances, simply trust your vendor to meet its security obligations. You must fully assess them. It\u2019s also important to remember that any risk assessment you do only gives you a snapshot view of the current security state. Regular testing should be set in stone, and it\u2019s smart to include some element of real-time continuous monitoring.Having done an assessment and identified risks, you also need a solid plan to mitigate them. Every assessment should uncover some recommendations and provoke some action that tightens your security.Remediation must also be fully audited, so that you can ensure the suggested actions have been taken. This process needs to include the option to terminate agreements when the vendor is not in compliance.Ultimately, you need to know that your data and your reputation is safe at all times, and you simply can\u2019t do that without a solid third-party risk management program in place.