Vendor Risk Management: Threat Continues to Increase
In today’s interconnected world, companies often share data connections and information with third-party vendors and suppliers. These connections help create better data flow in modern enterprise computing systems that manage supply chains, manufacturing, distribution and financial transactions.
However, these connections also present serious risk to data control and privacy. How do companies know their third-party vendors and partners are keeping their proprietary company and customer data secure? Too often, they don’t. Vendor risk management has become an important practice to minimize company risk and ward off data breaches that cost millions of dollars.
Problems Identifying Third-Party Risk
According to the 2016 “Data Risk in the Third-Party Ecosystem” report from Ponemon Institute — sponsored by BuckleySandler and Treliant Risk Advisors — companies have problems determining and minimizing risks connected with allowing third parties access to mission critical or sensitive information. The study, which surveyed 598 participants across a spectrum of industries, found that 37 percent do not feel they would be notified from an important third-party vendor if they had a data breach involving sensitive information.
Not only that, they are not able to confirm when third parties have a breach. They don’t how many third parties have access to their data or how many of them are sharing the data. Further, they are not confident in third-party security procedures and safeguards and do not have a vendor risk management policy in place to make sure there are procedures in place to minimize risk.
Third-Party Vendor Breaches Abound
A Soha Systems Survey showed that 63 percent of data breaches are directly related to third-party vendors. In 2016 alone:
- Hackers used default PIN codes from employees to breach W-2Express, a tax form management service related to Equifax. The breach affected clients such as Stanford University and Kroger.
- Bizmatic, a healthcare records vendor, was hacked using stolen credentials. The hackers installed malware which affected a variety of health care providers.
- Hackers posed as technicians for Point of Sale systems provided by third-party vendor Datapoint. They gained illegal access to card data and then used that information to hack into CiCi’s Pizza.
Lowering the Cost of a Data Breach
A 2015 study by IBM and Ponemon Institute reported that the financial cost of a data breach totaled $154 per record, an increase of 12 percent from the previous year’s $145. The average cost of a typical data breach on an organization is just shy of $4 million, up 23 percent from a year prior. You can lower the cost per record of a breach by creating incident response teams, utilizing encryption and training employees.
Third Parties Increase Cost of Breaches
The biggest contributor to increased cost per record of a data breach was if a third party was involved. In that case, the $154 cost per record average increased to $170. Costs are significantly higher the longer it takes to detect, mitigate and minimize a breach. Breaches caused by malicious attackers took the longest to contain. System glitches and human error scenarios took less time to contain. However, the cost of breaches goes beyond money and data lost.
Vendor Management Solution
Your first step in minimizing the risk of data breaches is a comprehensive vendor risk management program. It makes sure that vendors are adhering to security standards and best practices. Create a plan and breach team ahead of possible disasters. Train employees to ensure they know what steps to take immediately in case of a breach.
Learn more about how to create an effective vendor risk management system by visiting SureID.com.