Overcoming hidden data risks when managing third parties
Third party risk management is becoming increasingly top-of-mind for organizations as they attempt to protect their privacy and confidential data and improve their security and risk exposure as part of the overall health of their organization.
High-profile breaches, like the one suffered by Target in 2014 or more recently by Netflix in 2017, continue to bring to the forefront the risks third parties can introduce to an organization. As the cloud has increasingly become mainstream, an entirely new set of external risks has been introduced to our environment.
Most organizations today rely on several—if not dozens—of external/SaaS applications to run their business, not to mention cloud-based infrastructure and platform offerings. Data ranging from employee vacation time to business documentation to confidential customer information now resides in the cloud, creating a new frontier of risk with which organizations must now contend.
For many, the ability to manage this new frontier has not kept pace with the adoption of new, cost-effective technologies to better enable operations. According to the Ponemon Institute’s recent survey, Data Risk in the Third-Party Ecosystem - Second Annual Study, September 2017, data breaches caused by third parties are on the rise and yet less than half of those surveyed are prioritizing risk management of third parties.
Most IT organizations have implemented processes and tools to manage their organizational risk but rely on their external vendors for risk management of outsourced operations—without fully assessing the new risks that these tools and services present to their organization’s ecosystem.
Below are actions your organization can take to extend your risk management program to include third parties and reduce the likelihood of a data breach due to factors outside the organization’s control:
1) Know Where Your Data Is – Ensure your organization has a current and accurate inventory of all third parties with whom you are doing business and determine which of these have access to critical data, and which are sharing data with other organizations or Nth parties.
2) Know Your Responsibilities – Become familiar with the contract terms in place for each third party, paying particular attention to how the responsibility for protecting your data is addressed. In all cases, be cognizant of the fact that your organization is ultimately responsible for securing its critical data.
3) Perform Third-Party Risk Assessments – Most organizations don’t conduct regular assessments of the security and risk practices of their business partners. According to Ponemon Institute, those that do so on a regular basis see a 20-percentage point drop in the likelihood of a third-party breach.
4) Understand your Third-Party Risks – All risks aren’t created equal, so to ensure that your valuable and limited resources are in the right place, you need to classify and categorize third party risks according to your organization’s risk tolerance and business impact. Prioritizing enables you to focus on mitigation for the most critical risks first.
5) Understand the Impact Third Parties Have on Your Regulatory Requirements – Often overlooked is the trickle-down effect a non-compliant third party can have on your ability to meet regulatory requirements. Be sure you understand which regulations look beyond your system boundaries to assess risk and compliance, and how this affects your ability to do business.
6) Collaborate Internally – To be successful, TPRM must have ownership and resources that span the organization, beyond compliance and/or IT. This can be achieved through strong internal collaboration. Form a team with key stakeholders including IT, compliance, legal and procurement. Align your language, pool your resources and make executive management accountable to ensure you have the support needed to succeed.
7) Define Expectations of Third Parties – Key to holding third parties accountable is having clearly defined and internally aligned expectations for performance and remediation. Once these expectations are set, ensure all existing and new contracts are aligned to these expectations.
8) Prepare to Avoid Vendor Lock-In – It can be disruptive for an organization to switch vendors, and even moreso if the switch is unplanned. Whether driven by a breach or a vendor shutting its doors, be prepared to manage the risks associated with vendor lock-in. Know how your data will be transferred and scrubbed, and who is financially responsible. Ensure your contract has provisions that protect you.
This new frontier of risk related to third parties is a serious reality that cannot be ignored. Following these risk management best practices can empower you to anticipate and get ahead of risks and, ultimately, protect your company, employees and customers from devastating breaches.
(Editor’s note: Baan Alsinawi and Adriaen Morse will present on this topic at ISACA’s North America CACS 2018 conference on April 30 in Chicago.)