Establishing partnerships, outsourcing, or purchasing different products from multiple third-party vendors frequently involve risks. Several other third parties such as regulatory bodies, government agencies or strategic consultants can also pose grave risks. These risks may result in reputational damage, fines imposed by regulatory compliance requirements, legal liability, business interruptions, and so forth.
Whether you buy products from a wholesaler to run your business, for human resources to provide administrative functions, medical care to support healthcare services for your employees, or integrate your systems with a third-party vendor, sensitive or confidential data that is the heart of your business can easily be on the verge of being compromised.
According to the Bomgar Vendor Vulnerability Index 2016, “35% of data breaches result from third-party vendor access” (see Figure 1 below).
An analysis of recent high-profile data breaches divulged that malicious insiders first penetrated the victim’s network through a trusted channel of his third-party vendor. In the aftermath of a successful attack, the adversaries pretended to be a legitimate vendor to achieve their malicious agendas or leveraged the weaknesses of a legitimate vendor to exploit another company.
Another study—2017 Vendor Risk Management Benchmark Study discovered that 71% of insurance companies, including healthcare providers, said they would change their higher-risk relationships over the next twelve (12) months whereas 48% respondents said it had become crucial from a regulatory and risk standpoint to analyze a vendor’s contractors. Unfortunately, shrinking budgets force organizations to cut costs by outsourcing critical business tasks and systems which contain sensitive information.
Vendor security represents a significant part of the risk management process but, unfortunately, it’s often steered clear of. To mitigate vendor risks at an acceptable level, an effective and efficient Vendor Risk Management (VRM) Program must be utilized.
According to Gartner, “VRM is the process of ensuring that the use of IT suppliers and service providers doesn’t have a negative impact on business performance or create an unacceptable potential for business disruption. VRM ensures that enterprises analyze, monitor, and manage their risk exposure from the third-party vendors that offer services and IT products, or that have access to corporate’s critical information.”
A fundamental step of VRM is the Vendor Risk Classification.
Performing a vendor risk classification involves three (3) critical elements:
The first step involves the creation of the vendor’s inventory. Developing an inventory will help you to know who your vendors are and what type of data they are allowed to access. The creation of an effective inventory involves five further steps, including:
Your company might have a relationship with several vendors that could pose multiple risks. Each vendor can have a specific type of risk and, therefore, you must categorize each vendor’s potential risks to know what actions are needed to remediate these risks, depending on the criticality of the vendor and the type of the risk. The risk profile of each vendor can be defined through the process of risk identification and integration, risk classification and analysis, control evaluation, and risk reporting and treatment.
In addition to the risk type, you can also classify risk in two ways—either according to the relationship you have with the vendor or to the data it handles. When dealing with third-party vendors, it is imperative to clarify how data will be stored and how it will be handled during and after the relationship to avoid potential damage inflicted to your company.
As per the NAVEX Global 2016 Third-Party Risk Management Benchmark Report, “in 2016, only 22% of U.S. organizations monitored all of their third-party relationships”.
For example, TigerSwan’s former recruiting vendor left thousands of files with sensitive information of American citizens on an unsecured Amazon server, even though the contract with the third-party vendor had been terminated in February 2017.
Risk assessments allow your enterprise to measure the level of risk involved in your relationship with a third-party vendor.
Once the risk is identified, your company can either remediate the situation or terminate the relationship with the vendor. There are typically 3 types of risk assessments that companies perform to pinpoint potential issues before they occur:
Assessing vendors involves a number of steps that your company must follow to get rid of potential problems in the future. Your company can have a “Vendor Security Assessor (VSA)” who will engage the vendor for assessment. The VSA must know the process to schedule an assessment and the time required for assessing the vendor. The VSA should also be mindful of the escalation process if the vendor is reluctant to cooperate.
Essential steps for assessing vendors:
Managing issues is the last step whereby your company documents issues and develops actionable solutions to remediate these issues.
Typically, this involves four steps:
When managing the issues, you should be able to answer the following questions:
In an ever-changing competitive industry, the selection of the vendor/product depends not only on quality and cost but also on numerous risks involved in the relationship. Enterprises should establish a thorough process to vet vendors prior to their selection. Then, vendor security and privacy controls should be actively monitored to mitigate the risks created by third-party relationships.
If not properly evaluated and managed, third-party vendors can entail considerable risks to partnering organizations. Each vendor can have a different type of risk such as strategic risk, compliance risk, operational risk and so on. Overlooking these risks can expose enterprises to a data breach or compliance issues. Therefore, corporations must take proactive measures into consideration when establishing partnerships or outsourcing services to third-party vendors. These measures include the use of Vendor Risk Classification, Vendors Assessment, and Issues Management. In addition, the process of effective vendor selection and management is also indispensable. Doing so can assist enterprises to prevent data breaches and minimize risks caused by third-party vendors.