Companies, large and small, rely heavily on their supply chain to run their business. As the number of third parties with access to company and customer data increases, so does the risk of security breaches that have the ability to damage the reputation and sustainability of the business. Third party assurance services can reduce these risks by developing governance and monitoring processes that ensure third parties are managing your data and their own risk appropriately. With threats constantly evolving, the need for a quality third party assurance service is increasing.
Third party risk management is expensive. It involves performing security reviews of companies that don’t want to be (and don’t have the time to be) reviewed. To be successful it requires input from your procurement, legal, information security and internal audit teams and in order to add any real business value it has to be integrated into a process that produces a real and tangible business outcome. C-level executives have enough on their plate worrying about risks to their own business, let alone other people’s businesses. So why bother?
The reasons are the same reasons that we hear time and time again. Operational, reputational, financial and, if your business sits within the financial sector, compliance risk. In short, a failure of one of your third parties will cost you money, clients and time.
At Secgate we like to visualise each one of these four risks by placing them into two main categories – risks to your company’s confidentiality (the ability to protect your customer’s data and your business’s intellectual property) and risks to your company’s availability (the ability of your company to maintain the service it provides to its clients).
Customers have to hand out a massive amount of personally identifiable information in order to do anything in this day and age. They therefore trust you, the custodian of their data to keep it personal. A data breach at one of your suppliers, whether it be a supplier that handles customer credit card information or purely a marketing agency that handles customer names and phone numbers, will erode the trust your customers have in your business. And this will occur whether or not the breach was malicious or accidental. It will make customers think twice about handing over their personal information to you in the future, and this trust will take time to repair and rebuild. This loss of trust in your business and brand is, in essence, reputational damage. Damaged brands don’t do well. Think 2013 and Target’s data breach.
Target’s stock price dropped by approximately 10% in the time after the breach was announced, all because of a third party HVAC (heating, ventilation and air conditioning) supplier that you probably can’t name (I know I can’t). Could your business recover from a hit of that magnitude to its bottom line?
Outsourcing is one of the most popular pastimes of businesses in this day and age. Entire consultancies specialise in helping companies outsource pretty much any function they have, from HR through to payroll and IT. Companies are even outsourcing their C-suite executives.
And you trust these companies to be able to maintain the same quality and availability that you would come to expect of an in house service. And why shouldn’t you trust them, that’s the service you are paying for. But what happens when something happens that means these companies can longer operate?
This category is wider than information security. What happens when the supplier managing your help desk is hit by a flash flood? But that could never happen, could it? Just remember that an inch of snow can bring London to a standstill.
Could your company operate without its payroll function? Could your company operate without an IT help desk, or even worse, without any IT capability at all? It’s at times like these that strong business continuity and IT disaster recovery (BC/ITDR) plans become a lifesaver. But why should your company have to invoke a business continuity plan and absorb the associated cost, isn’t that the job of the company that suffered the incident?
Ensuring that your suppliers have a strong, robust and well thought out business continuity and ITDR capability will reduce the chance that your company ever has to invoke its own business continuity plan, preventing operational and financial impacts and mitigating both operational and financial risk.
So this is about trust?
No. Third party assurance is not about your company not trusting its suppliers. It’s about collaboration. It’s about the sharing of best practice. It’s about saying that no matter how mature your information security control environment is, let’s help each other to improve it. And it’s this constant improvement that helps create a robust and resilient economy that can benefit everyone.
Fine, you have my attention. So what can I do?
Firstly, you need to ensure that your company knows what it is dealing with. Do you have a comprehensive third party inventory? Do you know what third parties you use, the service each one of those third parties provides and the data that they take from you to provide it? Does your CISO team talk to your procurement team to get this information? Does your procurement team even have the information?
Secondly, you need to focus your attention on the suppliers that matter most. Rank your suppliers in order of importance from both a confidentiality and an availability perspective. A supplier may be supercritical when looking at them through a confidentiality lens, but bottom of the pile from an availability lens and thus should be reviewed appropriately. Your CISO team cannot do this alone. Your procurement and supplier management teams have to be involved.
Thirdly, implement a third party assurance programme. Look at the controls you have in place to mitigate the risk third parties present to your business. Do your third party contracts contain the required clauses (this will involve speaking to your legal team)? Do you check that third parties maintain their information security control environment? Do you check that your third parties are robust enough to recover from incidents and business continuity issues?
Combine the criticality of the third parties with the results from your third party assurance program to measure the risk the third party poses to your business. Make the assumption that a strong third party review means a low risk of an incident occurring at the third party and combine the two into your businesses central risk framework.
Finally compare this risk to your risk appetite – are you happy with the risk posed by the third parties that your company utilises? Or are there some remediation steps needed to lower this risk?