Businesses depend on third parties for services and technologies, and computer systems are no exception. Almost 80% of businesses use at least one cloud-based application, according to a post by Steve Driz on Peerlyst. Reliance on third parties creates increased risk; if a vendor's controls are weak, hackers can gain entry into a company's computer system and cause significant damage. One good example of this was Target's data breach back in 2013.
Driz's post emphasizes the need for proactive risk management of a company's cyber vendors. Investing time and money up front can prevent serious loss in the future. In a worst case scenario, a major cyber attack can shut down a business permanently. In one survey, 78% of consumers said they would stop interacting with a company after a data breach, and 36% would abandon it completely. Whether dealing with a one-time supplier or ongoing service and support, consistent procedures are necessary.
Driz lists these components of a third party risk management program:
- Identify the right vendor
- Analyze vendors based on reputation, body of work, technologies and credentials. This applies to low level operations as well as critical processes.
- Perform due diligence
- Investigate their experience with threats:
- Were threats detected in time to prevent a breach, and if not, did the vendor learn from its mistakes?
- Do they know their potential vulnerabilities, and have they addressed them?
- Do they have risk mitigation policies in place backed up by controls and testing?
- Check their technology, tools and security (in-house or outsourced?).
- Remember quality is more important than price.
- Get full disclosure on prior incidents and references from users.
- Perform a background check to be sure certifications are valid and current.
- If necessary, get an independent audit of their procedures and controls.
- Investigate their experience with threats:
- Monitor performance
- Ensure agreed processes are being followed.
- Changes in risk need to be regularly assessed.
- Have a defined contingency plan in place
- An effective incident response and management plan will help to keep downtime to a minimum.
- In the event of a breach, the vendor must verify the damage, provide a complete breakdown of the incident and explain how they will mitigate similar future risks.
Vendor risk management is a necessary part of every company's risk management program. If you are unsure about the risk you may be exposed to through your third party vendors, we encourage you to set up a free 10 minute intro call with one of our Risk Management experts below. We would be glad to discuss your unique situation in more detail.