By Jake Olcott, VP of Government Affairs, BitSight
When it comes to third-party risk management (TPRM), many organisations are just beginning to figure out the core components of their programme — and some are not implementing any measures to monitor their third parties at all.
According to Ponemon’s November 2018 report “Data Risk in the Third-Party Ecosystem”, 54% of organisations saying their companies do not monitor the security and privacy practices of vendors with whom they share sensitive or confidential information (or they are unsure), but only 29% trusting the vendor to tell them of a breach. That being said, where do these companies who are just starting out in their risk management journey actually start when putting a TPRM programme into place?
It’s widely known that risk from the supply chain, or third parties, is one of the most pressing risks for businesses worldwide. However according to Ponemon’s report, most organisations, don’t have the confidence, resources, or inventory to be able to even start a TPRM programme, and of those that do have a programme only 35% rate it as highly effective. If they do have an existing program, it is often inefficient in terms of procedures and processes; sometimes it can take up to several weeks to complete risk assessments or vendor questionnaires with a small team (sometimes even just one person!) in place. Ultimately, this slows down the business in day-to-day operations.
While point-in-time assessments are not an accurate representation of the dynamic risk present across all functions of an organisation, it’s important for companies to realise that implementing a mature TPRM programme with continuous monitoring of vendors takes time. While this is the standard, not every organisation is ready to implement it on day one. You need a plan to get there. The path that organisations take to get to those mature third-party risk management programmes starts with launching their programme. While it may seem reactive at first, eventually, it will expand to more continuous, automated processes that allow their organisation to scale.
It’s more than acceptable for companies to start with more of an “ad-hoc” or reactionary TPRM programme as they get things off the ground, while still conscious of the automation and resource allocation that is possible to achieve full confidence in their programme. If they need to do security assessments, they complete assessments only on their “high-risk” or Tier 1 vendors and re-assess when a security event happens, or on an annual basis.
A great place to start is by assessing the vulnerabilities that exist across a company’s third-party supply chain. Vulnerabilities pose one of the largest threats to an organisation when it comes to the risk of a data breach or cyber incident. They are also easily identified using outside-in solutions like security ratings. Incidents like the Ticketmaster breach from June 2018, in which their data was compromised by a third-party vendor, could have easily been avoided if they had visibility into the vulnerabilities present on that vendors’ network that would ultimately severely affect their own.
Ultimately, organisations need to start somewhere when implementing a third-party risk management programme. If they can begin by identifying and addressing the biggest, riskiest vendors to their business (as well as identifying the vulnerabilities present on their networks), eventually they can lay the foundation for a more mature TPRM programme in the future.