Do you treat all your vendors the same?
Whether you’re an executive in a global corporation or a small local company, there is one certainty; risk is inevitable. We’re not just talking power outages, cyberattacks, supply chain disruptions, and data breaches here. Your company’s reputation could be in someone else’s hands – even your HVAC guy.
A survey by the Ponemon Institute found that more than 41% of surveyed companies sustained a data breach caused by a third party. This is a tell-tale sign that third-party risk management should be in everyone’s security arsenal.
Third-party risk is a security function as well as a compliance requirement and now, with the emergence of New York’s new cybersecurity regulations – law. Ensuring broad cybersecurity coverage means understanding the risks posed by both your third-party providers and their providers (fourth parties). It is important to also note that understanding where your data is, both internally and externally, helps you to better isolate your risks and understand where you must focus your efforts.
If it isn’t hard enough to think about all the potential risks that can be caused by natural disasters or even those bad guys lurking behind a computer screen, now you need to watch out for your partners that your company pays. Risk can come in all forms and it is hard to believe when you develop a new partnership that same partner could cause your company’s demise.
ASMGi’s core is security. We’ve helped companies formulate vendor risk programs and have even helped companies move to a faster, more efficient way to complete vendor risk assessments.
Through our experience, here are some simple tips for successful third-party risk management:
- Treat your vendors like you would your friends: Each vendor is unique not all vendors are created equally. Let’s face it, some companies ask their Cloud service provider the same questions as their event caterer. Treating all vendors equally can add noise to the assessment process and lead to a lack of participation from your vendors.
- Prioritize what you’re asking your vendors: It’s very easy to create vendor fatigue by asking for redundant information or even information you already know … like their name.
- Skip the email chains and time-consuming spreadsheets: New platforms have allowed companies to automate managing their vendors. The right platform can even help companies move to a faster, more efficient way to complete third party risk assessments while removing manual data collection processes like spreadsheets and email chains.
No matter your approach, risk never sleeps. It’s critical to understand your vendors’ security controls and what potential risks exist with each and every partnership.