I’ve talked a lot about cybersecurity and how to prevent it with the right mix of policy, education and multi-layered security solutions in place. However, there is a huge threat to your business that is often underestimated or completely forgotten about.
Third party providers can be entrusted with the same access levels to confidential or sensitive customer data as employees, yet research has shown that many organisations fail to adequately vet third party providers. In fact the 2014 Cyber Crime Survey found the figure to be as high as 70% of organisations that did not vet the security of their third party providers.
Public cases of third party security breaches seem to back up the evidence, with a high profile data breach for Yahoo in 2014, a breach of a third party website provider for Edinburgh City Council last summer, and a hack into a JD Wetherspoon database held on a third party website.
Last year, US technology consultants, Booz Allen Hamilton went so far as to name third party providers as the number one security risk to financial services firms.
The 2015 Information Security Breaches Survey reported that a large London based insurance firm suffered reputational damage as a result of a third party breach in which customers’ data was stolen. The contract with the supplier stipulated certain controls which turned out not to be in place. Clearly the supplier’s security credentials hadn’t been checked or verified thoroughly enough.
With some large firms potentially dealing with anywhere up to 50 third party IT suppliers, of course not all will have access to sensitive data, but some will and each of these must be thoroughly checked, as any third party relationships that they hold, mean your data could be handled even further out of your control.
A vendor management programme must not only consider financials, contracts and reputational risks, but must put cybersecurity preparedness, as critical evaluation criteria.
The first step in any vendor management programme should of course be to know your suppliers inside and out, understanding what services they provide for the firm, and what data they are party to.
Next, create a risk register outlining all potential risks associated with each third party supplier, with suggested measures that can be put in place to mitigate these. Data encryption could be one solution for data that has to be processed by a third party.
Ensure that responsibility for undertaking thorough due diligence is clearly allocated to an individual or group, and that they fully understand their remit. OR centralise the process with a firm-wide risk management or procurement team. It’s too easy for this important work to fall through the cracks.
A third party vendor management provider may seem like you are merely adding complexity to an already murky vendor landscape, but a good partner can be invaluable. Much like a password manager holds the key to all your other passwords, a good vendor management service can do all the hard work for you. When I offer this service, it is attractive to our clients because we are performing due diligence at scale across largely known and understood vendors and our clients can take advantage of our deep knowledge and levels of research.
I’ve been contracted to run vendor management projects for lots of different reasons, sometimes as a cost saving exercise, often because a firm wants to re-evaluate its cybersecurity policy and occasionally because of a merger, where we have to provide evidence that the unknown set of vendors meets compliance, regulatory and best value standards.
Whatever the reason, it is a valuable exercise and an important job that must not be overlooked.