Currently, it is a common norm for companies to outsource some of their business processes to external service providers, which essentially allows a firm to focus more on its core business. In the process, sensitive information is shared, processed, and stored on both the business and vendor networks. At the same time, it can become a challenge for an organization to understand its vendor landscape. The relationships introduce risks, which companies might or might not be aware of.
Predominantly, vendor processes have been manual, siloed, and time-consuming. Communication between a company and a third-party service provider takes place via emails and meetings, while records are kept in excel files. The siloed processes lead to ineffective communication and oversight and eventually, the business lacks visibility into the overall supply chain risk posture and vendor activities.
A review of some research studies on vendor vulnerability reveals the following appalling findings:
- Bomgar 2016 Survey found that 74% of participants believe that the vendor selection process overlooks key risks, while 64% believe that organizations focus more on cost than security when selecting third-party vendors. Another 77% consider that they will face a severe data breach incident within the next 24 months as a result of vendor access to their networks
- PWC’s Global State of Information Security Survey 2018 reveals that a majority of businesses are still struggling with data use governance and only 46% require third parties to comply with their privacy policies
- Soha Systems Survey discovered that merely 2% of IT professionals consider vendor-secure-information access a top priority, even as more security threats are now being linked to third-party contractor access
- CSO reported that organizations spent $10 million in one year addressing breaches that were a result from third-party risks
Businesses, in most cases, rely on developed and approved control policies to reduce diverse risks while in operation. Unfortunately, lack of concrete visibility over their vendor’s environment translates into the inadequacy of an existing controls framework since the business still remains vulnerable to “friendly fire.” At the same time, the present business environment requires stringent regulatory compliance and reduced likelihood of data breaches. Failure to meet these requirements will lead to regulatory exposure, lawsuits, financial loss, and damage of reputation. In some cases, lack of control over the vendor landscape might be the cause of gaps in both regulatory compliance and data breach incidents since hackers can exploit the associate’s lax security measures to reach a company’s system. Nevertheless, the affected business is always held accountable for such occurrences, irrespective of the cause.
In consideration of the foregoing, major regulations, such as the Health Information Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS), require that an organization’s risk management policy covers risks that may arise from working with vendors. In fact, new regulations in most industries are demanding an increased focus on how businesses monitor security controls of their third-party vendors. For instance, the Office of the Comptroller of the Currency (OCC) 2013-29 requires banks to adopt risk management processes proportionate to risk levels of their vendor relationships.
In effect, businesses should devise effective approaches to this risk vector, while maintaining healthy and productive relationships within the supply chain. Vendor risk management (VRM) involves measures deployed to identify and mitigate potential uncertainties and liabilities caused by collaborating with third-party vendors and fourth-party vendors. An effective strategy involves employing a technology-based, force multiplier to control vendor risk. A solid understanding of the security controls of vendors is critical in mitigating the supply-chain risk.
“An organization’s security is only as strong as its weakest link. Many times, this is your vendors,” said Ian McClarty, President & CEO of PhoenixNAP Global IT Solutions. “For example, the Target breach was via its HVAC vendor. Cybersecurity should be an integral talking point of your conversations during the vendor-selection process. Always bring up security early and stress how important data security is for your company.”
A reliable and effective vendor risk management strategy should focus on the following functions:
- Identify: This functionality involves developing plans that identify inherent risks of third parties. Companies should create vendor evaluation criteria and establish the risk posed by the criteria.
- Define: An organization should define its risk assessment policy employed for evaluating vendors. A key approach to managing supply-chain risk involves deploying a well-defined, vendor evaluation and monitoring strategy
- Assess: Supply risk assessment should be made mandatory in a firm and reviews should be conducted periodically
- Remediate: remediation process should involve the collaboration between a company and its vendors
- Maintain: Ongoing third-party risk and activities monitoring will enhance vendor compliance in the long-term
This VRM approach enables a company to examine third-party risk based on diverse criteria, such as access to business information, process requirements, business continuity, regulatory requirements, and reputational needs. It is imperative that companies inventory third-party vendors through reviewing contracts, administering relevant questionnaires, and conducting meetings to assess their security controls. Such procedures allow a profiling of vendors against defined potential impact to the business. The process should examine the vendor’s ability to comply with regulations, their control over information security, and their ability to operate in the event of a catastrophic incident.
The supply-chain risk management process requires an analysis of crucial information about the vendor environment. As such, companies can make it mandatory for vendors to fill in detailed questionnaires about the information, such as specific implementation of their security controls. Moreover, it is vital to conduct both offsite and onsite assessments that involve document review and interviews. In other words, vendors are expected to be open to security audits, including running vulnerability assessment, and Penetration Tests to prove the effectiveness of their security controls. The assessment process should be an ongoing activity to continually reduce a company’s exposure to vendor risk and third-party related breaches.
For the supply-chain, risk management strategy to be effective, a company’s top management should be involved. Additionally, employees need to be trained on third-party information security. Proper documentation is also necessary, which involves maintaining an updated register of all vendors with details about their risk profiles.Ultimately, companies should recognize that “trusted” vendors can create a gap in their security postures. Essential precautions will help mitigate risks that exploit third-party entity relationships. Developing and implementing a robust vendor risk management strategy will enhance an organization’s ability to mitigate risks related to supply chain, vendor service quality, breach of contract, and contractor availability. The strategy offers a well-defined risk management process that allows third-party risk profiling and implementation of reliable risk mitigation controls. Moreover, the solution enhances adherence to compliance requirements.
For further assistance on vendor risk management processes, learn how Ignyte can help your business by requesting a demo.