How many digital services does your company use? The answer will depend on the size of your organization, of course, but even in small businesses, there may be a several dozen.

Email services and web hosts are ubiquitous, and some use different DNS providers from either of those. Then, there are various file-sharing services, collaborative platforms, financial systems, databases, CRMs, and possibly a variety of ERP-like software running either inside the network or in the cloud.

In larger enterprises, there may be thousands of digital systems in place; in daily use, or some accessed just occasionally, such as archive services for data, or cold-stored databases.

Every company’s digital supply chain, in turn, has its own suppliers: the cloud-based collaborative workflow system used by, for example, your marketing function, will be probably be hosted by a third-party (to you, that’s a “fourth party”). While the hosting service may be a big-league player like Microsoft Azure or AWS, the situation may not be clear, and, according to a 2018 Deloitte survey, only 2 percent of respondents said they regularly identify and monitor their fourth and fifth parties. Fifty-seven percent said they didn’t have adequate knowledge of or any visibility into the subcontractors engaged by their third parties.

Unfortunately, that’s not the case in the eyes of the law in an increasing number of jurisdictions. Under GDPR – to take perhaps the best-known example – the data controller in your organization is responsible for data governance over all the data you control, not just the data you control on your own systems. A data breach comprising of your customers’ personal information as hacked from a third party’s servers is the same, in pure legislative terms, as credit card details taken from a cluster in your wholly-owned, private data center.

This is the situation into which BitSight offers meaningful solutions. The company, headquartered in Boston, MA, and currently helping thousands of companies with the self-same quandary, knows that in today’s unforgiving cybersecurity and privacy climate, the mantle of responsibility spreads much more widely than it used to. The complexities of the situation may seem overwhelming at first, but the offerings from BitSight help companies enact a framework that ensures greater safety, legislative adherence, and quantifiable security ratings.

BitSight Discover helps companies map out the spider’s web of digital supply chains, ensuring you know where your data may be flowing, to and from whom. That has numerous advantages. Firstly, it enables a set of assessment standards to be put in place: new suppliers or services can be assessed for suitability pre-procurement while existing digital suppliers are checked for good practice. That leads neatly into the ability for enterprises to identify potential points of failure that are wholly outside of direct control: if multiple vendors are supplying platforms that all use service X, what might the impact be on your organization if service X fails?

Data protection is all about risk management, and without a transparent risk picture, there is no way of assessing the real safety of the enterprise’s information. That transparency begins with an auditing process and then needs to continue as the supplier picture changes. More substantial changes taking place also need to be subject to the same rigor: acquisitions, mergers, significant partnerships all come with financial risk in the traditional definition. But now cybersecurity concerns also play a significant economic role, as any company finding itself at the mercy of data-related litigation will attest. As GDPR-like legislation spreads, even those few companies with absolutely no dealings whatever with Europe will have to prove their good practices in data stewardship similarly.

How best to measure risk, specifically cyber risk? Here BitSight Security Ratings provides an eponymous service. Quantifying the enterprise’s own performance is crucial if standards are to be maintained. Without a measurable metric, there’s no way to judge performance and raise standards over time. The same measures can be used in third party assessment, providing empirical evidence that justifies choices and creates safe environments for information flows.

By the same yardstick, compliant companies can differentiate themselves from customers or clients that are increasingly aware of the dangers of data loss. The same measures can even be used to help determine the cost of digital risk insurance (and will be used by actuaries themselves, increasingly as time goes on, we suspect).

No one needs to have the potential pitfalls, penalties, and consequences of data breaches explained to them. But many are not aware of the extent of their responsibilities as data controllers, and it’s in these instances that BitSight’s solutions can be effectively leveraged. To learn more, you can request a demo or discover your organization’s own cybersecurity rating.