Managing Vendors & Third-Parties — Your Strongest or Weakest Link?
BITS Recommends: Top 15 Security Controls
June 5, 2020Tips for Excellent Video Meeting Quality
June 25, 2020Managing Vendors & Third-Parties — Your Strongest or Weakest Link?
Tom Pinou, Director- Data Center Operations
Managing your third-party vendors can be a daunting task, but a necessary part of business practice. To coin a phrase, “Not all vendors are created equal” is a definite understatement.
Over the years, the lack of appropriate security precautions and risk management processes have surfaced among not only small vendors, but the big players too. As you may recall, hackers penetrated the Target network using credentials belonging to an HVAC vendor. The hack resulted in the loss of data on 40 million credit and debit cards. Quite suddenly, the corporate world woke up and realized that their vendors could present a major exposure. This whitepaper is not intended to be too hard on the third parties, as a matter of fact, there are many strong vendors that follow current security best practices. It’s more to gain a better understanding of which partners may be your “strongest link” and which might be your “weakest link”.
In this whitepaper, we will briefly discuss three areas: an overall strategic view of managing your outsourcing partners, define various types of risks, as well as share some best practices on how to minimize your company’s risk.
Risk Exists
According to Deloitte, organizations must make a strong first effort to manage risk from all directions. They recommend taking control of third-party risk by implementing a strong third-party “Assurance Program”. Once those assurances are documented they should be enhanced by developing a well-defined “Vendor Management Best Practices” procedure. Then, as your business grows and evolves, continue to refine in three critical areas; Policy, Processes and Procedures.
Outsourced Service Providers (OSPs) and third-parties have becoming more and more integrated with their clients’ day-to-day operations. As a result, they create more of an impact on their clients’ internal control framework, such as financial reporting as well as auditing and compliance requirements.
Focus on risk management through a contract review or a compliance services review, use that exercise to help your own organization improve internal business processes, maximize revenue, manage costs, address risks, strengthen relationships and boost performance.
The Reality
According to research of 450 breaches investigated since 2013, an alarming 63% involved a third-party. Experian, in their 2015 Data Breach Industry forecast report made the case well by saying, “As more companies adopt interconnected systems and products, company breaches or cyber-attacks will likely increase via data accessed from third-party vendors.”
A Strategic View of Outsourcing
The strategic view of outsourcing is generally comprised of three distinct views – global view, risk view, and industry views.
In the Global view of outsourcing today, outsourcing extend far beyond Information Technology (IT) processing or the need to find the lowest-cost alternative to in-house operations. Companies are outsourcing at global levels.
In the Risk view of outsourcing It is important for your company to be aware of all the risks that may be typically associated with outsourcing, including, but not limited to reputational risk, control risk, compliance risk, privacy risk, financial and operational risk.
Outsourcing any component of your business enterprise to a service organization can introduce any or all these risks – either directly or indirectly. Direct risks are typically associated with the actual processing or hosting of data. Indirect risks which can be equally as critical, are normally associated with how the data is managed (or mismanaged) and the clients’ perception of the relationship between the provider and users of outsourced services. In the Industry view of outsourcing, these practices and controls are unique to each industry.
Compliance and Assurance
Compliance with industry, government, and other regulatory agencies has become more challenging as more companies manage increasingly complex reporting requirements
Third-Party Vendor Management
So, what do you do when your vendor is just not keeping up with your business?
Since third parties are often a company’s weakest link, it is important to address this risk appropriately. Here are some practical suggestions below:
- Senior Leadership must set the direction
- Corporate leadership must make third-party risk management a priority for it to be successful. Such programs require time, resources, and above all, an eye to details.
- Have a structured program
- Third-party oversight should begin with a structured program, with proper documentation and procedures. The program must be an ongoing effort, rather than a one-time review.
- Oversight applies to all Vendors: Large or Small
- The risks posed by a small vendor cannot be ignored, even if the exposure is also small. It is easy to overlook a small vendor performing a relatively minor service.
- Make your risk management match your vendor
- In a perfect world, the same risk management standards could be applied to all vendors. But we know, once size does not fit all.
- Consider each vendor and the level of exposure
- While the company that cleans your office possess some inherent risk, they are simply not in the same category as your vendor that has access to your internal network and data.
- Document Everything and Find a New Vendor if Needed
- Your actual control over a third-party vendor’s security and risk practices is somewhat limited. It is important that you document all aspects of your efforts, to demonstrate that you did everything reasonably possible to protect your business.
- Lessons Learned
- The outsourcing of key components of a business – in order to meet cost, competitive, and operational demands – has become a strategic imperative within many industries.
The recommendation from experts in the field is a multi-directional approach to manage these complex relationships because of the global nature, risk nature, and industry regulations associated with outsourcing vendor relationships.
In summary, look carefully and closely since the cost of doing business, managing efficiencies and minimizing risk with the wrong partnership has a long-term impact on the growth on your business. Both providers of outsourced services and users of outsources services are seeking the same end goal – assurance that the risks associated with their business are being managed effectively.
Bottom line – You can outsource a process, but you cannot outsource the risk. Know your third-party.
