How seriously is your company treating the risk of a data breach? Have you done due diligence on all of your vendors and third-party partners? Cyberattacks can have a devastating impact in terms of reputation and customer trust. It takes time and resources to deal with the fall out. The true cost of a serious data breach is hard to calculate.
According to Verizon’s 2015 Data Breach Investigations Report, the estimated financial loss for 70 organizations in various industries around the world from 700 million compromised records was $400 million. No business can afford to ignore a threat like this.
There’s plenty of evidence that the enterprise takes the threat seriously. Gartnerestimates that global information security spending will hit $76.9 million this year, up 8.2% on 2014. But are companies spending that money in the right places? No matter how much internal systems are tightened and improved, companies can still be exposed by third-party vendors.
It’s not enough to ensure that your own house is in order, you have to assess every business relationship. After all, a chain is only as strong as its weakest link, and cybercriminals are adept at finding weak spots. The superintendent of the New York State Department of Financial Services, Benjamin M. Lawsky, summed it up nicely in hisFebruary speech:
“In many ways, a company’s cyber security is only as strong as the cyber security of its third-party vendors.”
For many industries, third-party risk management is not optional. Regulators in the U.S. and Europe are starting to bring more pressure to bear. For example, the Office of the Comptroller of the Currency (OCC) extended regulatory responsibility to senior management in financial institutions with Bulletin 2013-29.
You don’t have to be in the finance industry to learn from the main issues it highlighted:
These issues should resonate with any industry, not just financial services. We’ve seen data breaches in healthcare, hospitality, retail, entertainment, manufacturing, technology, and the list goes on. We find the same root causes every time – a failure to identify and manage third-party risk.
There are lots of different ways you might begin to identify and address risks associated with vendors. Firstly, it’s important to plan properly. There’s no one-size-fits-all answer for third-party risk management, but you should always be asking certain questions:
The planning phase should produce solid documentation, including a comprehensive due diligence report, a map of third-party relationships, risk assessments, performance reports, audits, and reviews. There’s no room for trust. If you don’t ensure compliance with service-level agreements, for example, then you could be exposing your company, not just to the risk of data breach, but also to legal liability.
We need a fresh approach to vendor assessment and an understanding that issues must be addressed in a timely manner. Remediation efforts need to be audited, and there must be room for companies to terminate when third parties cannot or will not comply. There are two major failings with traditional vendor assessments:
In the modern climate, with cyber security growing in importance, there’s simply no room for casual business relationships based on blind trust. It’s time to take third-party risk management seriously and work out a solution that delivers the oversight your business really needs.
This article was recently published in Network World.
Imagery credit Thinkstock.