The Ponemon Institute conducted a study back in April of 2016 surveying companies to understand the risks to data and the challenges they face in protecting sensitive and confidential information shared with third parties resulting in Data Risk in the Third-Party Ecosystem study.
Here we will outline the seven risks uncovered by the study and dig a little deeper into how best practices in vendor risk management can reduce these risks.
1. Companies are not able to confirm if third parties have had a data breach or cyber attack involving their sensitive and confidential information.
Use sources like The Privacy Rights Clearinghouse to keep up to date with publicly announced breaches. Public announcements vary state by state.
2. Companies are not able to determine the number of third parties with access to their confidential information and how many of these third parties are sharing this data with one or more vendors.
- Catalog all your vendors across all your business units.
- Then map what vendors have access to critical data and how. This might be a organizational process problem and I’d bet a spreadsheet just won’t cut it.
3. There is a lack of confidence in third parties’ data safeguards, security policies and procedures and if their security posture is sufficient to respond to a data breach or cyber attack.
- Request attestations or certificates and have them fill-out questionnaires.
- Request to perform an audit yourself sending in your experts to survey encryption, periodically.
- Find a Managed Security Services Provider to perform an audit.
Don’t forget about 4th party risk! According to the study, 73% of respondents do not believe an Nth party vendor would notify them if they had a data breach.
4. Companies rarely conduct reviews of vendor management policies and programs to ensure they address third-party data risk. In addition, a lack of resources makes it difficult for organizations to have a robust vendor management program to manage Nth party relationships.
This, again, seems to be an organizational process problem where finding scalable technology to gain insight to the Nth party relationships and the ability to collaborate with legal, procurement and other business units would be ideal.
5. Accountability for the correct handling of an organization’s third-party risk management program is decentralized. Similarly, no one department or function is responsible for ensuring that appropriate privacy and security language is included in all vendor contracts.
Ensure there’s a process in place to assess vendor risk across appropriate parties and ensure the process has baseline standards. By utilizing a standard questionnaire to understand what kind of risks the vendor poses and subsequently, what risk experts in the orgnaization should be made aware of the vendors potential utilization is the first step in accountability.
6. Senior leadership and boards of directors are rarely involved in third-party risk management and often do not require assurances that third-party risk is being assessed, managed and monitored.
Find a simple, quantified way of explaining the risk of vendors to the board using business impact and inherent risk ratings. Read more about how legislation in New York is holding board members accountability for understanding cybersecurity.
7. Companies rely upon contractual agreements instead of audits and assessments to evaluate the security and privacy practices of third parties.
Bring external controls and best practices into contract negotiation when a vendor is being considering for a new or existing service.
To solve a few of these issues, ThirdPartyTrust reduces redundancies in the vendor management process by inviting enterprises and vendors to an online B2B network. US Foods, Advocate Healthcare and Spencer Stuart use us to gain insight to third and fourth party risk, reduce the number of customer security questionnaires and map their digital vendor ecosystem.
To learn more about how ThirdPartyTrust can help you manage third-party risk, request your free trial now: