Don't let vendors put customers — and a business's reputation — at risk
Editor's note: The following is a guest article from Steve Richardson, Vice President of Product Management, Fusion Risk Management.
Every week it seems there is another article about a company suffering a data breach, from Facebook to Google to Equifax.
As the world becomes more connected and businesses collect data at an increasingly rapid rate, hackers and cybercriminals are keeping pace with security protocols and consistently finding ways to get around them — sometimes almost as soon as they are implemented.
Data now is currency. In fact, many hackers would much rather steal consumer data than a finite sum of money.
While organizations must be in control of security and data protection obligations and practices, they must also be vigilant about how third-party service providers approach these crucial components.
The success of an organization depends on the security and resiliency of the third parties with which they partner and, often, share data. If companies do not thoroughly vet these providers, the consequences can be dire.
A growing — and costly — problem
In 2018, large-scale organizations have experienced damaging breaches that affected not only their bottom lines but also their reputations.
One such incident involved Saks Fifth Avenue and Lord & Taylor when cybercriminals tapped into an unsecured point of their sale system and stole more than 5 million customer credit card numbers.
In another instance, a chat and customer service vendor for Best Buy, Sears, Kmart, and Delta was hacked via malware and compromised credit card information, addresses, and other personal data of hundreds of thousands of customers.
These incidents and others like them have led to negative media attention and customer mistrust — two things any business must avoid at all costs.
In addition to damaging a business's reputation, crimes like these are becoming more expensive as well, according to the 2018 Cost of a Data Breach study, conducted by the Ponemon Institute. The study reports the global average cost of a data breach rose 6.4% in 2017 to $3.86 million.
The average cost for each lost or stolen record containing sensitive and confidential information also increased by 4.8% year over year to $148. These costs may keep rising as data proliferates and the impact of a breach becomes more severe.
Why the old way isn't working
As organizations seek ways to solve the security problems inherent in many of their business partnerships, they require a flexible and collaborative system tailored to different user experiences and needs that is accessible by all partie, integrating their separate data-gathering and sharing efforts within a core risk management system.
Unfortunately, many companies are unsure how to approach this, and end up relying on legacy governance, risk management, and compliance (GRC) solutions. Or, even worse, using spreadsheets and email to track and maintain their risk assessments and third-party relationships.
Manual processes, spreadsheets, and email are not a scalable or sustainable model for managing third-party risks for many reasons. Increased spending with third parties, new and stricter privacy legislation, and an heightened media focus on information security breaches increase the levels of risk a business faces when entering third-party relationships as well as the risks resulting from inconsistent or error-prone assessment processes.
Companies are spending more money, and are relying more heavily, on third parties to manage crucial areas of their business because it can reduce internal costs and cut down on internal hiring and training of full-time employees.
While there is added convenience in sourcing a business process service to a third party, companies must also pay attention to how third parties protect and store sensitive data as well as address their own risk and compliance obligations.
Companies must also consider the General Data Protection Regulation (GDPR), which took effect in the European Union on May 25, 2018 and consolidated all privacy laws into one regulation. GDPR has expanded the privacy rights of individuals in every EU country and has put much stricter rules around how organizations handle the personal data of their customers and employees.
GDPR enforcement not only applies to countries in the EU — but to every company that does business there where EU citizen data is stored or processed.
The broad nature of GDPR makes it even more evident just how much emphasis people around the globe place on their privacy. The result is an increased obligation a company has to ensure that privacy for its employees and customers — which includes a thorough vetting of all third-party relationships.
What's more, regulations that resemble GDPR are being adopted elsewhere. In California, the Consumer Privacy Act was signed into law in June, and will go into effect in 2020, giving residents of the state much more control over their data.
The media attention paid to data breaches can be intense and highly critical. Journalists pay close attention to how and why such incidents occurred, and what could have been done better by the compromised company.
If an organization has not done its due diligence to protect consumer data by assessing the risks associated with their partners, it will become a key point of the news coverage, and can permanently damage the company's brand and consumer confidence.
Increasing efficiency through a comprehensive management system
It is clear increased scrutiny means that a more rigorous and comprehensive process must be in place for assessing and managing risk. There is more pressure on companies to manage third parties efficiently.
That means tossing out the spreadsheets and doing away with legacy GRC solutions in favor of an integrated solution for an assessment and management process that incorporates third parties in broader risk management and resiliency strategies.
The solution must provide third parties with access to information, due dates, and standardized assessment work-streams through a secure portal designed with ease-of-use in mind.
When an organization brings third parties into the solution, with shared information and standardized processes, it establishes a higher level of control over vendor relationships; saves time and effort during the assessment process; significantly lowers risk exposure; enables better decisions and improves accountability and oversight.
Vendors can log in and access questionnaires and assessments that address risk, impacts, dependencies, and compliance. This model provides for easier review, scoring, and analysis of that information so organizations can make the most prudent decisions possible about potential third-party risk.
An example of increasing the efficiency of the assessment and onboarding process is to automate the pre-risk assessment and scoping procedure that evaluates the vendor's potential risk tier and determines the level of detail which the company should vet that potential vendor.
Some vendors might be put through a complete assessment across many domains (information security, privacy, legal, compliance, and business continuity/disaster recovery) because they are handling sensitive customer or employee data.
Others might not undergo as intense a assessment because they are not involved in the processing or storage of sensitive data. Automating much of this activity speeds the process and let's internal team members focus their efforts on higher-risk providers.
Regardless of the level of scrutiny, any vendor included in enhanced third-party management allows an organization to develop, test and maintain contingency and crisis responses that consider impacts from any disruptions to those partners.
It dramatically increases visibility by providing metrics and reports that identify what processes are effective, and which require more attention. It also allows various departments within an organization to seamlessly collaborate on risk assessments across information security, legal, compliance, finance, and IT.
Vendor risks are business risks
Between malicious hackers and rigorous privacy regulations, today's business climate is fraught with risk. Now more than ever, companies must overcome challenges associated with managing third-party relationships that can result in unforeseen operational and compliance risks, threats to business resilience and loss of revenue and credibility.
A company cannot simply have internal risk management and resiliency measures in place and assume they are protected. Industry has seen time and again that third parties who are not fully vetted, and do not undergo a rigorous risk assessment process, can do as much damage to a company as an internal failure.
Accountability does not stop within the walls of an organization — it can extend to a partner on the other side of the world. And, if the security and data management processes of third-party service providers are not complete, consistent and compliant, then neither are an enterprise's.