Today most businesses find themselves in the position of requiring a strategic partnership with a third-party to address many different business needs and requirements. These partnerships provide a benefit to the primary company typically in the form of cost savings (labor/operational), increased quality of product or service, or an increased speed with which the product or service is delivered. Additionally, partnerships may be used to address deficiencies within the business operation such as a talent shortage. Organizations may even be compelled to partner with a third-party by industry or regulatory compliance mandates as is the case with PCI-DSS or GLBA to name a couple examples.
These strategic partnerships certainly provide a benefit to the primary organization, but also introduce an additional level of risk. A Soha Systems survey indicates 63 percent of all data breaches are linked directly or indirectly to third-party access. From a network and information security stance, an organization’s security posture is only as strong as its weakest link.
We’ve seen headlines in the news that illustrate this time and time again. Take, for instance, the recent DoorDash breach that exposed the data of 4.9M merchants, customers, and workers as a result of a third-party service provider. Or the infamous 2013 Target breach in which Target’s corporate network was compromised through a contracted third-party HVAC company, Fazio Mechanical. The attack initiated through a phishing email which led to malware installation on Fazio Mechanical’s systems and continued until the attackers had infected Target’s POS terminals and customer data was stolen. Through relaxed security policies, practices, and implementations with both parties, Target experienced costs to the corporation in the form of an $18.5M lawsuit settlement, damage to the company’s reputation and resulting lost business, as well as the resources expended to significantly improve their security posture to reduce the possibility of future attacks.
Even if the security risk started with or is wholly due to a service provider’s lax security posture, the primary organization will ultimately bear responsibility for the breach, especially in the mind of the customer. From a legal standpoint, the main organization may often find it difficult to demonstrate that sufficient steps were taken to manage its third-party risk and could be considered liable for the breach and therefore held responsible for the ensuing costs of remediation.
It can be a difficult task to mitigate the inherited risks associated with a company’s security posture over which you have little control. Naturally, how a given organization manages any risk will depend greatly on the business requirements and goals of that organization.
The following are steps any organization can take to begin the process of managing third-party risks:
Step 1: Obtain Executive leadership buy-in and support.
This is essential for any risk management program to succeed. Leadership support will provide necessary oversight and will stress the importance of this endeavor to the entire organization.
Step 2: Perform a thorough in-house risk and vulnerability assessment to gauge your organization’s security posture.
Implement any needed changes and address any deficiencies to your own organization’s acceptable risk level.
Step 3: Evaluate the security policies, procedures, and implementations of current partners to assess the risk they may pose to your organization.
If deficiencies are discovered, have conversations with the partner organization to address these gaps. This may involve revisiting current contracts.
Step 4: Prior to contracting with potential vendors, investigate the security practices of these organizations and discuss expectations of how information security will be handled should a partnership be realized.
Due diligence is vital in evaluating the security posture and risks posed by these potential alliances.
Step 5: To remain successful, implement a risk management program that includes ongoing risk measurement and evaluation through auditing and monitoring.
New risks and vulnerabilities may appear at any time and an organization must be adaptable to these changes.
It’s not all doom and gloom when it comes to third-party partnerships. After all, they can provide significant value to business operations. The important takeaway is their risks are your risks, and your organization will bear the burden should an accident occur. By implementing a risk management program following the steps above, you can mitigate third-party risk, providing you peace of mind and long-term success.