Vendors make the world go round, allowing organizations to efficiently outsource tasks, but they are a top source of breaches for organizations. LogicGate’s Matt Kunkel discusses the risks companies must address with their TPRM programs.
It’s estimated that anywhere from 20 to 50 percent of workforces are outsourced. While outsourcing can help companies scale and be more efficient, it also can pose a significant risk. Every year, companies continue to experience data breaches because of vendors. Recently, Quest Diagnostics, a clinical laboratory company, announced that 11.9 million customers’ personal information was potentially compromised. The cause of the breach was linked back to third-party vendor American Medical Collection Agency (AMCA), a billing vendor hired by a Quest contractor called Optum 360.
The Quest Diagnostics breach again raises an important issue to the forefront: Companies are not only responsible for the data their own company collects, but the data third-party vendors collect as well. While vendors’ decisions are commonly outside of the company’s control, they still can harm a company’s business and reputation.
Before adding a third-party vendor, companies should consider the potential risks below to ensure they are prepared.
Lack of Transparency
With multiple processes and data spread across different systems, it’s often difficult to get a clear picture of third-party relationships. Without a single source of truth, Chief Information Security Officers (CISOs) are left trying to sort through multiple files and business units, leading to a long, drawn-out process of trying to find the right information to report to executives.
Instead of vendor information spread across multiple systems, consider creating a central repository of all third-party vendors. In doing so, risk managers can have a clearer understanding of all assets, risks and threats. This central system becomes a single source of truth for all individuals in the organization, cutting down on confusion and information silos.
Moving Beyond Spreadsheets
As companies continue to transform their digital processes, one would think that organizations have moved beyond the use of spreadsheets to keep track of risk registers. However, this is not the case. Hampered by manual processes, CISOs and risk managers find it challenging just trying to keep up with risk mitigation. As a company grows, so does its risk. If companies continue to rely on spreadsheets or manual solutions to track their third-party vendors, they are opening the door to even more risk and frustration.
To avoid this issue, CISOs should consider solutions that involve robotic process automation. Through this technology, a company can cut down on human errors and automate processes like data collection to help scale the third-party risk program. Utilizing technology to perform third-party risk assessments allows companies to closely monitor third-party risk without causing disruption in a vendor’s day-to-day tasks.
No Plan in Place
Organizations without a plan in place to address risks are more vulnerable to risk, simply for lack of preparation. Companies must take time to analyze risks and put programs in place to measure and monitor risks on an ongoing basis. By having a program in place, CISOs can feel confident that risks are being identified and handled properly.
Vendor relationships do increase risk for an organization. However, this does not mean companies should not work with third-party vendors. Instead, companies should take precautionary steps to ensure all vendors are sufficiently monitored before issues occur. By pulling vendors into a single source of truth, all parties involved can have a transparent view of their vendors and avoid any hidden dangers.