Jane and Emily are CISOs at two large companies which about five years ago almost simultaneously hired a well-known outsourcer that provides back office business services. Both companies entrusted the outsourcer with sensitive corporate data and granted it special access to their IT systems.
Both Jane and Emily had spent a lot of time, effort and money boosting their respective companies’ physical and IT security, and tightening their compliance with external regulations and internal rules.
However, these two successful CISOs differed in a key area: third party risk management. Jane had given short shrift to this important but overlooked area. Meanwhile, Emily had made it a priority to create a formal, comprehensive, centralized and automated program for assessing third-party risk.
Recently, cyber criminals broke into the network of the outsourcer and stole confidential data and access credentials from its customers, including Jane’s company. Emily’s company had cut off ties with the outsourcer 18 months before, so it wasn’t affected.
The Importance of Assessing the Risk of Vendors and other Third Parties
So what did Emily’s company know about this outsourcer that Jane’s company did not? Emily’s company, through its program to periodically evaluate the risk of doing business with its third parties – including vendors, suppliers, consultants, service providers and partners – had identified these red flags:
— A spike in voluntary management and staff turnover, as well as abrupt waves of layoffs
— Delays in the development and delivery of new services
— Frequent inability to honor SLAs (service level agreements), and erosion in customer service quality and responsiveness
— Spotty regulatory compliance record, and failure to obtain and maintain industry certifications
— Weak IT security practices, lax enforcement of data protection policies and failure to adopt infosec best practices
With this snapshot of the outsourcer’s troubling state of affairs, Jane’s company would have clearly seen how risky this business relationship had become before disaster struck.
Managing Third-Party Risk is Good Business
An automated and centralized third-party risk assessment program boosts your business in a number of ways, including:
— You ensure you’re working with reputable, well managed companies that follow industry best practices, which strengthens your brand reputation and your customers’ confidence in your company.
— By making sure your business partners comply with government rules and regulations, you avoid costly and disruptive penalties and fines.
— By routinely verifying that your third parties are complying with their contractually-agreed upon SLAs, you make sure they’re keeping pace with your businesses needs and that your supply chain runs smoothly, efficiently and cost-effectively.
— When all of your company’s departments and divisions follow the same third-party risk assessment procedures, you benefit from a consistent, agile, rigorous and transparent process.
While the story of Jane and Emily is fictional, it depicts a situation that’s all too real. You probably remember 2013’s massive Target data breach, made possible after hackers stole login credentials to one of the retailer’s billing systems from one of its contractors. Others that have been hit recently due to a third party’s breach include Boston Medical Center, California State University, T-Mobile and Wendy’s, to name just a few.
In its 2015 U.S. Cyber Crime Survey, PwC concluded that third-party risks aren’t adequately addressed, even though regulators are becoming increasingly worried about the issue. While 62% of respondents said they evaluate the security risks of third-party partners and 57% do so for contractors, only 42% consider supplier risks, according to PwC. Another troubling finding was that 19% of CEOs, CFOs, and COOs said they are not concerned about supply-chain risk.
“It may be that many of these executives presume that the IT department is responsible for third-party threats. If so, we’ve got some potentially troubling news for them: 19% of CIOs themselves were unconcerned about supply-chain risks,” reads the report.
The study also found that only 16% of respondents evaluate third parties’ cybersecurity more than once a year, and 23% do not evaluate third parties at all. Also, most companies do not have a process for assessing the cybersecurity capabilities of third-party partners before they do business with them.
Don’t Bury Your Head in the Sand
The solution isn’t to run your business in a vacuum. Organizations need to engage with a variety of third parties and give them access to parts of their physical locations, business processes, IT networks and confidential data.
In fact, it’s not uncommon for a large organization to have thousands of third parties to which it has given different levels of permission to enter their premises and tap into their IT systems and data repositories.
This brings us to a key question about security and compliance that you must ask: Are these trusted vendors and other business partners putting my organization at risk? In other words: Do you know how compliant with information security standards, government regulations and your internal policies are the third parties your organization does business with?
Like Jane’s company, yours may have its own house in order, but your third parties, due to negligence, carelessness or ignorance, can make it vulnerable to breaches, resulting in customer data theft, IP espionage, brand damage and government fines.
Consequently, you must conduct risk assessment audits of these third parties. You must also run similar surveys in-house to ensure your employees and departments comply with your company’s policies and procedures, and with external rules and regulations.
How to Assess Risk from Third Parties and Company Insiders
These business process control assessments are conducted via surveys. They evaluate areas of an organization such as its business continuity plans, physical and environmental security tools and practices, operational risk safeguards and human resources procedures.
However, the traditional way of conducting these risk assessment surveys — emailing questionnaires and tracking responses on a spreadsheet — no longer cuts it. You must automate these polls to ensure the process is agile, accurate, comprehensive, centralized, scalable and uniform across your organization.
Today, we begin a weekly blog series in which we describe 6 common scenarios where you need cloud-based, automated risk assessments of third parties and internal staff.
Let’s get right to the first one.
A Siloed, Fragmented Process
If your organization lacks a standard third-party risk assessment process, you’re not alone. This problem is more common than you think. Many organizations, especially large ones with multiple global locations, don’t have a centralized, uniform way of vetting third parties.
Often, this task is divided amongst multiple groups within the organization, such as business units or geographic divisions, each with its own heterogeneous approaches, policies and procedures. The result: a fragmented, inconsistent and inefficient audit process carried out in myriad ways, lacking best practices, basic requirements and established methods for the assessments.
This leaves the organization without a clear understanding of its third-party risk, and thus vulnerable to security and compliance breaches. Specifically, the organization will have trouble identifying which third parties pose the highest risks, and how to keep track of and address those risks.
Cloud Software Can Help with the Establishment of a Formal Vendor Risk Management Program
If given cloud software for automating third-party risk audits, every staffer involved with these assessments will use the same centrally managed, feature-rich tool that streamlines audit requirements and best practices for all users.
This will provide company-wide uniformity for survey design, management, distribution and collection, and offer a central console for campaign tracking, data analysis and visualization.
Supervisors will be able to review surveys to make sure they’re properly constructed, both in terms of format and content, before they’re launched and even while a campaign is in progress. Moreover, managers will have clear visibility into the entire universe of third parties their organization is currently engaged with, across the board and at any time.
If this is your company’s scenario, Qualys Security Assessment Questionnaire (SAQ) is for you. It’s designed to automate and streamline the entire third-party risk assessment lifecycle, including survey design, response monitoring, data aggregation and report generation.
The cloud-based SAQ frees risk assessment administrators from tedious manual tasks, ensures unparalleled accuracy and speeds up campaigns.
With SAQ, an organization can quickly and precisely identify security and compliance gaps among third parties, as well as internally among its employees.
In the second installment of this weekly blog series, we’ll discuss two more scenarios: Reliance on inefficient, manual processes, and inability to perform internal assessments at scale.