Relationships with vendors are important (or even vital) for many organizations, but unfortunately, there’s a trade-off—the more data you share, the more risk you acquire.
Your organization probably deals with handfuls (or maybe hundreds) of vendors. Whatever the case may be, having a comprehensive third-party risk management solution is the best way to protect yourself against cyber mischief.
But with as many vendors as most organizations typically work with, how do you decide which companies to monitor? It’s simply not possible to monitor them all—but which are the most important?
While this can only be answered on a case-per-case basis (as it varies greatly by company and by industry), there are several industries that you should be monitoring no matter what. To give you a leg up on your quest for better vendor risk management, below are the four most important industries to have on your radar.
The 4 Industries That Should Be On Your Third-Party Risk Management Radar
Every organization needs a bank. And banks have a great deal of information about their customers. So it comes as no surprise that you should be continuously monitoring the security of your financial institutions to be sure that your information (and your money) remain secure.
Historically, the finance industry has been a top-performing industry as far as cybersecurity is involved—but that doesn’t mean banks haven’t had security issues. For example, 76 million households were affected by a 2014 cyberattack on J.P. Morgan Chase. This particular breach went unnoticed for two months, as the hackers breached the system regularly for short periods of time. If such a large financial institution has a hard time monitoring their cybersecurity, it makes you wonder about the cybersecurity posture of smaller banks and credit unions, and whether they have the right systems in place to be able to stop any security breaches before they happen. So, just because finance has been a top performer in the past, it's still vitally important that every organization keeps their eye on this industry.
Virtually every organization will use a law firm or lawyer for something. Whether it’s for patenting their latest product design or providing counsel, having a law firm at your side is vital if you’re going to successfully grow a company. But due to the nature of their job, lawyers have a great deal of access to legal documentation, ongoing litigation, or other sensitive information that simply cannot go public.
One reason why legal counsel should be on your third-party risk management radar is because unlike the banking industry, law firms aren’t closely regulated like the government. This gives them free reign on how seriously they take cybersecurity and the precautions they take to protect your sensitive data.
3. Technology Cloud Providers
With the advent of cloud technology, more company data from software systems is being stored online. While this is an important technological advancement—one that makes the usability of business software far better—it opens the door for data security issues.
Consider a customer relationship management (CRM) software system, for example. CRMs house an organization’s entire sales pipeline and forecast. If the third-party software provider is breached, your organization’s sales information (and possibly those of your competitors) could fall into the wrong hands. Or, think about automated human resources (HR) software that is stored in the cloud. If the data stored by that particular third-party software provider is breached, the sensitive information of your employees—including social security numbers, payroll, benefits, insurance information, and more—could be spread around freely online. (This is similar to what happened in the Office of Personnel Management (OPM) breach, where hackers were able to get HR information about the U.S. Government.)
So, cloud security monitoring of vendors is vital in order to be sure that they have adequate security protocols in place . If you don’t, and one of those third parties is hit with a cyberattack or data leak, a lot of the sensitive information on your business processes (or your employees’ personal information) could get out.
4. Business Services
Because business services is an all-encompassing designation for many smaller industries, we've broken it down into two subgroups that are vitally important to monitor.
While most large (and some small and midsized) businesses have a finance team on-hand for day-to-day projects, many outsource large-scale projects—like their taxes—to experienced accounting firms. Understandably, an accounting firm must keep any and all tax records secure from cyber mischief. According to an interview with several tax experts posted in the Journal of Accountancy, a “storm is coming” in the area of cybersecurity. All three experts agreed that there are concerns in the accounting realm with sharing sensitive information on the cloud because of cybersecurity threats.
If you deal with e-commerce at all, payment processors (from large firms, to online payment systems) are a good addition to your third-party risk management watch list. Historically, some of the largest payment processors have had security issues—just look at Heartland Payment Systems, which hackers gained access to in 2009 and pulled off one of the largest cybersecurity attacks in all time; over 100 million credit and debit cards were stolen. (In fact, they were just recently involved in yet another security breach.) So, it’s clear that keeping a watchful eye on your payment processor and their cyber health is worth it.
Something To Think About
It’s fairly obvious why we chose the four industries we did. Nearly every organization deals with vendors in the finance, legal, technology, and business services industries.
But if one industry gets hit with a cyberattack and your information becomes compromised, you’re not just going to suffer from one angle. Why? Because chances are, several of your other vendors, partners, or other companies in your industry probably use the same bank, CRM system, or payment processor. So information that other third parties have may become compromised, as well—putting more of your data at risk.
Proper third-party risk management gives you a more complete defense system. And with the top-of-the-line continuous monitoring solutions available, you will feel far more prepared and significantly less vulnerable.