Another year, another report confirming what most compliance and IT security officers already know: third-party vendors are an enormous security and privacy risk, and oversight of those parties is a mess.
That’s the message of a report released Thursday by Opus and the Ponemon Institute, which surveyed more than 1,000 IT and data security professionals in the United States and Britain. Fifty-nine percent of respohttps://www.opus.com/ponemon/https://www.opus.com/ponemon/ndents said that their companies had experienced a breach due to third-party vendors — up from 56 percent in 2017 and 49 percent in 2016.
The rest of the report isn’t any better. Additional glum statistics to ponder…
- Only 29 percent of respondents say a third party would contact them about the data breach;
- Only 37 percent of respondents say they have sufficient resources to manage third-party relationships;
- Only 35 percent of respondents rate their third-party risk management program as highly effective;
- 57 percent of respondents do not know if their organizations’ vendor safeguards are sufficient to prevent a breach.
- Only 34 percent of respondents say they have a comprehensive inventory of all their third parties.
The Ponemon Institute also asked executives about data security for their “Nth parties” — that is, the vendors that all of your third parties use, which are fourth parties to you. Only 12 percent of survey respondents believed they would learn of a breach at one of those Nth parties involving their data. Only 15 percent said they even know how Nth parties are accessing or processing their company data at all. It’s tough to mitigate a risk you don’t fully grasp.
What’s driving all this inability to govern third-party data risks? Lack of resources seems to be one issue: only 37 percent said they have sufficient resources to do the job.
Lack of urgency, however, might be another: while 76 percent said the number of cybersecurity incidents due to vendors is rising, only 46 percent said their companies have made managing these outside risks a priority. And only one-third said they regularly update their boards on how effective their risk management programs for third parties are.
Whither Third-Party Oversight
What’s striking is that so many of these statistics — which are dismal, considering the gravity of the risk involved — relate to governance, policy, and oversight, rather than IT security.
No, your company is not responsible for managing the IT security of your third parties. It is, however, responsible for thinking smartly about how third-party technology vendors are used within your enterprise. So this very much is a corporate risk where compliance or internal audit should be involved.
For example, as noted above, only 34 percent of respondents have a comprehensive inventory of third parties using their data. Why don’t more companies have that comprehensive inventory? Because they don’t have a centralized approach to managing third parties (so say 69 percent of respondents), or the third-party relationships are too complex (cited by 48 percent).
Those are challenges compliance officers have encountered before in the anti-corruption world. They are weaknesses internal audit executives have encountered before if they’ve ever audited the procurement function.
Yes, applying those lessons to technology vendors is more challenging, because it’s so easy for employees to tap new tech vendors without alerting anyone and because cybersecurity is such a fast-evolving threat. But the lessons themselves are the same, because they are about prioritizing the risk, training employees on proper procedure, and strengthening the control environment so everyone understands that third-party risk is something taken seriously.
The Ponemon Institute did recommend a few best practices: create an inventory of all third parties that can access your confidential data; review their policies and practices for data security, including how they address emerging threats such as new apps or devices their employees might use; include contract clauses requiring them to notify you if they will share your confidential information with their third parties.
Those are good practices for your company to adopt. They are also not new. The same issues and ideas were raised in last year’s report, and others prior to that.
The question really is why a company hasn’t adopted those practices yet. Too often, the answer is because the company hasn’t allocated the proper resources to get those practices done, and that’s because the board hasn’t whacked the alarm bell with sufficient vigor so everyone hears the message.
So if you want to print out this post and your most recent risk assessment of tech vendors, and staple those documents to the board’s forehead — that might be a good idea. The risk is only going to get more pressing from here.