Why a Proactive Approach to Vendor Risk Management is Necessary

Sonali Shah | March 11, 2014 | tag: Security Risk Management

When third party vendors, partners, processors and contractors find out about a breach of your customers' data, do you know what their notification practices are? Would you be surprised to know that almost a full third of them probably won't ever let you know that they've put your data at risk?

It's true, though. According to figures from the Ponemon Institute, only about 6 percent of third-parties let their clients know about loss of their data immediately upon discovery. And 29 percent of companies said that when they suffer a breach involving a partner or client's data they simply don't notify their business partners at all.

Proactive-Reactive-Vendor-Risk-ManagementAs we mentioned in a previous post, breach notification laws and standards today are very spotty in their requirements for third parties who have compromised partner or client data. The void has led to extremely inconsistent notification practices among third parties, with only about 41 percent claiming to have some kind of timely notification policy in place.

Often times, though, businesses can work around these issues through crafty vendor risk management practices and shrewd contract negotiations. Placing more rigorous audit and breach notification stipulations in contracts can greatly improve the chances of being told when problems crop up (I recommend organizations that are still figuring out vendor risk management best practices to check out this article, which offers a good primer on some of the considerations).

But that's only a start. Because even more troubling than these low notification figures is the consideration that these are only a percentage of a subgroup, namely those third parties that actually know that they've been breached. Case in point: the high profile Adobe and Neiman Marcus breaches both went on for months before the incidents were discovered, giving criminals unfettered access to data for an incredible amount of time. So how can you rely on your partner to tell you they've been breached when often times they don't know themselves?

Think about it; according to the Verizon Risk Team Data Breach Investigations Report (DBIR), 70 percent of companies today had to be told by an external entity that it had been breached. If you extrapolate that phenomenon out to the businesses that you work with, it only follows that they could very possibly experience exfiltration of your data that they may never find out about. So, not only do you have to contend with a partner not letting you know when they find a breach, you've also got to consider all those other breaches that they never suspected.

When it comes down to it, the only way that organizations can truly ensure they have a good handle on how well their data is being protected by vendors and partners is through proactive measures. As outlined in the new PCI 3.0 guidelines, organizations should be conducting more frequent audits and assessments to evaluate third party policies, operations and history. They would also do well to use a security rating solution to extend visibility into the organization’s true security posture, since, as we’ve learned in recent breaches, an increase in malicious activity is often an indicator of trouble. That way you don't have to wait until the next contract negotiation or audit period to check into a third party's security effectiveness. Instead, you may find yourself in the driver’s seat with the ability to truly manage and reduce third party risk across the extended enterprise.

Suggested Posts

The BitSight and Moody's Partnership: A New Era For Cybersecurity

Cybersecurity is one of the biggest threats to global commerce in the 21st century.

By providing data-driven insights into cybersecurity, we can empower the marketplace to make better, risk-informed decisions and create a more secure...

READ MORE »

4 Critical Success Factors for Effective Security Risk Management

With the average cost of a data breach in the U.S. reaching nearly $8.6 million, your organization can’t afford to ignore cybersecurity risk. Indeed, the need for security risk management is greater than ever. When cyber risk is managed...

READ MORE »

IoT Cybersecurity: How Your Organization Can Tame the Wild West

From sensors on the factory floor to those that guide autonomous vehicles, the Internet of Things (IoT) is transforming how we live and work. Over the coming years, IoT will continue to change our world, with the number of connected...

READ MORE »

Get the Weekly Cybersecurity Newsletter.