The Target breach in December 2013 elevated third-party risk management from a marginalized security concern to an industry in focus. Even with the added focus, however, third-party related breaches have increased year over year since then. In fact, Ponemon reported there was a 7% increase in third-party data breaches between 2016 -2017. So we have a greater focus on third-party risk management and yet third-party breaches are increasing.
Perhaps the biggest contributor to this paradox is that most organizations still approach third-party risk management with outdated and inefficient processes. Because one thing we know about cyber criminals is that they are constantly evolving to find the path of least resistance. And that path of least resistance is often in your supply chain. If the criminals who are stalking your networks are evolving, why aren’t you?
The reasons for this are varied: limited resources, stagnant budgets, increasing and conflicting priorities and, perhaps the lesser acknowledged but often bigger deterrent – the overwhelming feeling of how and where to start. Given the attention third-party risk management is getting today, overcoming these challenges may not be as hard as it seems. Deloitte published a report in 2017 that said 82% of organizations boards are becoming more involved in risk management. While this may bring unwanted scrutiny, it also brings an opportunity for change.
Third-Party Risk Challenge: Limited resources
Consider the resources you are burning by using outdated technology to support what are likely inefficient processes. Driving an old car may mean you don’t have a car payment, but the cost of gas, maintenance and repairs can ultimately outweigh the savings in car payments. By not adopting new risk assessment methods or not evolving your third-party program, you are likely burning resources on manual and redundant tasks. Not to mention exposing your organization to risk. Several studies in the last year show that not only are organizations not confident in their own third-party programs, but they are not even sure if their third parties’ practices could prevent a breach. Holding fast to outdated processes will not conserve resources; it will only serve to delay your knowledge of the exposure.
New delivery models and assessment approaches can significantly reduce the time spent on managing the collection and completion of assessment data while providing you with greater visibility into your third-party ecosystem. A new approach will not only help you conserve resources but reallocate those resources to more strategic initiatives – like risk monitoring and mitigation. Modern delivery models and standardized approaches will also ensure you have access to accurate and timely information. Organizations need access to current data they can rely on to make informed, risk-based decisions. A standardized and structured approach to risk assessments will help improve the quality of the data you are getting, and a dynamic delivery model will ensure that data is up to date and readily available.
Third-Party Risk Challenge: Conflicting security priorities
According to a 2016 survey by Soha systems, only 2% of respondents considered third-party security a top priority, even though 63% of data breaches were linked to a third party. While that statistic seems to be shifting, third-party risk professionals still struggle with conflicting security priorities. The fact of the matter is, the security of your third parties is your security. You may be able to outsource your data processing, but you can’t defer managing the risk to your customers and shareholders. Cyber criminals know this and that’s why we continue to see an increase in breaches year over year. Regulators have also taken note, hence the increase in regulatory scrutiny and guidelines, some of which carry steep fines.
The European Union (EU) General Data Protection Regulation (GDPR) is a great example of the potential costs that can result from not giving third-party risk management it’s due diligence. Companies that outsource data processing to a third party, such as a vendor or third party, remain responsible for the security of that data. Failure to do so can result in GDPR non-compliance, with penalties that include fines of up to €20 million or 4% of global turnover.
When evaluating and debating priorities, it’s worth considering that criminals and regulators aren’t discriminating between your security and your third parties.
Third-Party Risk Challenge: Where to begin
Ponemon conducted a study not too long ago which showed that 57% of organizations don’t have a full inventory of all the third parties they share their data with. That stat alone could deter many risk professionals from tackling their third-party risk management program. But while that stat may be true, identifying and assessing your third parties isn’t as time consuming as it may seem. From consulting services to new solutions, there are a variety of ways to pull back the curtain and dive in. Depending on the maturity of your program, you may choose a variety of solutions and approaches to help. Regardless of the combination, good solutions can help you identify and manage risk efficiently and cost-effectively.
It’s easy to fall prey to these obstacles, maintain the status quo and think a breach won’t happen to you. But the longer you wait to evolve or update your third-party program, the more time you are giving cyber criminals to stalk your network. They are looking for a way in, and when they find it, the defense of conflicting priorities, limited resources and not knowing where to start won’t stand. Especially when there are cost-effective options that can help you transform your program today.