Protect Yourself: Why Your Company Should Create a Third-Party Risk Assessment

We can’t control the care and security of those around us. This is not news. And yet in the world of cybersecurity companies are relying on third-party vendors—sometimes many vendors at once—to ensure their own security, leaving themselves vulnerable in the process.

I’m sure you’ve heard the numbers: by 2020, it’s estimated 20 billion connected devices will be online via the Internet of Things (IoT). From a digital transformation perspective, it’s fascinating. But from a business perspective, it’s a complete nightmare, at least when it comes to keeping data safe and secure amongst an ever-growing sea of connected third-party vendors—from the cloud storing your data to your online bill-pay partner. As more and more businesses begin to export the jobs that as-a-Service companies can more easily provide, they also set themselves up for a complex and highly fragmented system. And no matter how strong your firewall, and no matter how extensive your security protocol, it all counts for nothing if your connected vendor does not share the same level of commitment to keeping data safe.

Case in point: Anthem Healthcare recently experienced a breach that exposed the data of 80 million people—all because of a third-party vendor breach. Even in a field governed by strict HIPAA mandates—where a compliance culture is drilled into every employee, from the ER to the finance department—data breaches happen. And in industries where security compliance is even less of a priority, you can imagine the possible dangers.

A recent study from the Ponemon Institute showed that just 41 percent of organizations felt their vendors’ data/security is sufficient. Also alarming: nearly 75 percent felt those vendors wouldn’t even bother to tell them if a security breach occurred! These stats are outrageous and it needs to change. That’s why it’s more important than ever to adopt a program to assess third-party risk.

What’s Third-Party Risk Assessment

Like I said—when it comes to data security, you’re ultimately as vulnerable as your least-prepared vendor. That means it’s incredibly important to consistently assess risk and build vendor agreements that address them, understanding that all vendors will have different risks and needs.

For instance: not all vendors have access to highly sensitive financial and health information. (If they do, they shouldn’t)! Take time to study which vendors need access to what information; what security protocols those vendors have in place; and how you need them to communicate with you should a breach occur. Oh, right: this also means assessing the vendor’s perceived commitment to keeping these security protocols top-of-mind.

What Else Can My Company Do?

On top of a third-party risk assessment protocol, companies can also take a number of other steps to decrease the possibility of a third-party breach—at least to the extent that it affects their own business.

• Get rid of old data. Hackers can’t find what you don’t have. So make it a priority to purge all unnecessary data (including credit card and social security numbers) regularly.
• Update your stuff: Running a virus scan of your network won’t help if your virus software is outdated Be sure that all “end points” in your network are updated and secure—meaning, they’re using the latest versions of all programs and that they are compatible with other relevant devices.
• Create a culture of awareness. In this cyber landscape, all employees need to keep cyber security top of mind—whether they are performing data entry, running a marketing campaign, or performing surgery on a patient. Every person in your company needs to understand how important security is, and how quickly it can be compromised.
• Pay attention to service agreements. Read the fine print. Update your contracts as your own company changes and grows. After all, the vendor may or may not be taking short cuts with your data. But it’s still your responsibility to try your best to keep it as safe as possible—for your customer and reputation both.

No company today will avoid 100 percent of all breaches. Mistakes happen. Trojan horses creep in. But in the meantime, it’s important to do as much as you can to keep that data safe. That means adopting a new perspective—one where data security doesn’t stop at your office doors, but continues on throughout your network or supply chain, and ultimately all the way to your customer.