How Trustworthy Are Your Third-Party Vendors?
Why Self-Reporting Surveys Alone Don’t Cut it in Today’s High-Risk Digital World
It’s human nature to put gloss over our faults — especially when the truth paints a less-than-flattering picture. Why, then, do you rely on vendor questionnaires to gauge the security of your third-party providers?
Organizations of every size count on third-party vendors, but operational data and confidential information shared with these third parties may be vulnerable to misuse or exploitation.
Since vendors don’t always have strong cybersecurity programs, your organization needs a comprehensive third-party risk management program (TPRM) to mitigate the risks and influence the business decision to continue the relationship.
TPRM involves identifying, assessing and controlling the various risks that can develop alongside third-party relationships. With TPRM, you’re looking for weak links in your supply chain with an eye toward strengthening them at every stage: from procurement through offboarding.
The process begins with a due diligence questionnaire (DDQ). DDQs are a self-reported survey in which prospective vendors demonstrate compliance. Thorough due diligence should also involve a risk assessment for each contractor, vendor, supplier and service provider in your company’s business ecosystem.
Evidently, inaccurate self-reporting on DDQs can pose a serious threat to your organization, and surveys alone aren’t enough to ensure that your sensitive data is secure in someone else’s hands. Even when your organization has a thorough governance, risk and compliance (GRC) program in place, others you do business with may not. So, how can you know? And how can you make sure your information is safe in your vendors’ hands?
Why is TPRM important?
If there’s a breach, you’re accountable — especially if you’re protecting other people’s information, such as PCI, HIPAA, or federal contract-related data. Furthermore, if a business in your ecosystem suffers a breach and your information is lost, you are still impacted even when it’s not your fault. Regulators will scrutinize your organization and its vendors and may hold you responsible.
Unfortunately, not all vendor risks are readily apparent. You may be able to easily assess the risk associated with your contracted business partners, but tracking their vendors might be impossible. And if your third-party vendors do experience a breach, the consequences can be costly.
According to a 2020 Ponemon Institute report, 53 percent of organizations have experienced at least one data breach caused by a third party over the past two years, with remediation costs averaging $7.5 million. The average American organization shares data with 730 distinct third-party vendors, the likes of whom were ultimately responsible for two out of every three data breaches experienced by those organizations.
The 2020 cyberattack on SolarWinds, a major U.S. information technology firm, went undetected for months. The company unknowingly sent a software update that included malicious code to 18,000 of its 33,000 customers, creating a back door to its customers’ information technology systems. This allowed hackers to install malware and access sensitive data belonging to companies and organizations using SolarWinds’ software.
As alarming as that sounds, situations like this one are avoidable. A detailed penetration test could have helped prevent the SolarWinds breach.
Unfortunately, pressure to increase revenue at the expense of strong security may make these breaches more likely than ever. While penetration testing can be expensive, it’s less costly than the fines, unexpected costs and other consequences that come with a breach. For example, SolarWinds is now planning to rebrand its entire company because of the breach’s effects on its reputation.
Every third party poses potential significant risk to your organization. They can include:
- Reputational risk
- Operational risk
- Transactional risk
- Credit risk
- Compliance risk
- Strategic risk
- Legal risk
- IT/cybersecurity risk
- Fiduciary Risk
Compliance risk may be the most daunting, and the consequences of failure most damning. Almost all compliance frameworks require continuous monitoring of third-party vendors. The repercussions for failing to comply can be disastrous.
TPRM and regulatory frameworks
- The Health Insurance and Portability and Accountability Act (HIPAA) specifically addresses TPRM, stating that electronically stored Protected Health Information (ePHI) must be protected against threats, hazards and unauthorized use or disclosure. Vendor contracts must also contain privacy and security assurances.
- The Payment Card Industry Data Security Standard (PCI-DSS) includes TPRM as a requirement for compliance, defining “third-party service providers,” as any vendor that stores, processes or transmits cardholder data.
- The National Institute of Standards and Technology (NIST) SP800-171, a standard cybersecurity framework, includes 110 controls recommended for protecting the confidentiality of Controlled Unclassified Information (CUI).
- The Cybersecurity Maturity Model Certification (CMMC), a framework built upon existing regulation (DFARS 252.204-7012) as well as NIST SP800-171, adds verification as a cybersecurity must. This certification, required for all contractors working with the Department of Defense (DoD), requires an independent, external auditor to certify that DoD vendors meet its security standards.
- The False Claims Act imposes penalties on government vendors whose DDQs aren’t honest, though many DoD contracts were found to be inaccurately self-reporting. The DoD alone works with tens of thousands of third parties, so it can’t reasonably verify every DDQ. Even those of us working with far fewer vendors than the DoD often fail to verify the accuracy of survey responses.
“Trust but verify”
Why do third-party vendors inaccurately self-report on DDQs? They may want to:
- Win the contract
- Be seen in a better light
- Avoid investing the time or money necessary to get accurate answers
“Trust but verify” is a security model many organizations profess to follow. However, too often, they fall short in the verification department, particularly when it comes to security of their supply chain.
How to up your TPRM game
There’s no foolproof method for verifying vendor security; you’ve got to have a certain amount of trust.
There are, however, ways to improve your TPRM process, starting with assessing vendor risk.
First, evaluate existing risk assessments. This usually involves requiring your vendors to share their risk assessment reports. Vendors that handle your most sensitive information should provide you with evidence that they comply with your security frameworks.
Once you know which vendors pose the greatest risk, you should refine your DDQ to make sure that it is getting the information you need to protect your business. Reference the 110 NIST SP800-171 controls to get a better sense of the efficacy of your DDQ.
Although TPRM is crucial for compliance, it can pose challenges. You may find that you lack the resources, communication tools or workflow automation technology to implement TPRM.
When third-party vendors inaccurately self-report on DDQs, the potential risk to your organization increases exponentially. Luckily, you can enlist help to streamline your TPRM process and verify that third-party vendor DDQs are accurate.
TPRM-as-a-Service: Should You Try It?
TPRM can seem overwhelming, but you don’t have to do it alone.
TPRM-as-a-Service provides a number of benefits to organizations implementing a new TPRM program or bolstering existing efforts. They can assist you with the management of third-party processes, perform third-party risk profiles and categorization, and make TPRM easier and more effective.
Marcum Technology provides a human approach to security. Our professionals deliver practical guidance to give you peace of mind when it comes to your online presence.
Our professionals have cybersecurity experience that our competitors can’t match, including team members with federal agency experience.
Marcum Technology can help you develop a DDQ uniquely suited to your environment and ensure you’re asking third-party vendors the right questions. We’ll discuss your risk tolerance and make sure that your DDQ isn’t overwhelming or perfunctory.
In addition, Marcum Technology can also help you assess which third-party vendors have the most access to your organization’s information (top risk vendors), and those that pose the greatest potential risk. We advise on vendor security assessments and score them for you. Our open-source intelligence research into vendors will help make sure they are free of disparaging marks that suggest they could represent a risk.
As a service provider, Marcum Technology isn’t out to sell you software. We recommend products, and are happy to work with those you already know and use. Our goal is to provide you with the best security services and the sense of calm that comes with knowing you’re protected.
Contact Marcum Technology today to find out how we can help you improve the accuracy of your third-party DDQs, or create the TPRM program for your needs.