How Risky Are Your Suppliers? A Look at Digital 3rd-Party Risk in 2016


Securing_Supplier_Risk_Management.jpgIncreasingly, security threats not only come from within your organization but from outside suppliers that have access to critical data or collect critical information. Most partners and vendors will not meet the same security controls and standards as your company does, creating threats and risks that are usually underestimated.

Consequently, third-party risk is increasingly gaining the attention of regulators, risk officers and just about anyone. Your organization is increasingly trusting and sharing information with a broader set of suppliers that consume your information in ways not thought possible a few years ago.

You are using systems everywhere you look to automate work and achieve company goals. The Internet of things, the massive explosion of new social media sites, the growing federation of data to improve marketing and sales, the shift to industry 4.0 and Brilliant Manufacturing are just some of the factors driving this explosive growth.

In a recent study conducted by Softtek’s Supplier Risk Management team we conducted an IT risk assessment across 1,236 services providers, suppliers, contractors, or vendor—from SMEs, to large suppliers with over $50B in revenueacross Europe, Asia, North and Latin America. Interestingly, we found there are wild fluctuations in the way different suppliers and partners from industries treat data security.

Software Development Wins, Lawyers Lose

Third-party risk management has become a top concern in large part due to the increase in hacker sophistication, the rising monetary and reputation costs of breaches, and the consequences of successful cyber-security attacks.

But if you thought your suppliers and partners were becoming more sophisticated and conscientious in their security processes, you’d be mistaken. Our data shows the opposite: third parties are failing at controls more than before.

Best-in-class software development firms feature the highest level of compliance when assessed, outplacing even compliance programs of data processing and data hosting service providers. Every other group has seen a deterioration. In 2015, suppliers complied with 89.7% of all controls, a decline of 3.5% when compared to 2014 scores.

One of the reasons why that’s so has to do with the fact that they tend to have high privileges and may even be operating within your facilities, requiring these vendors to operate under the most stringent compliance conditions of all.

But it’s the lawyers who are giving everybody headaches. The top scoring legal firms rank lowest across all best-in-class groups, excluding companies that just collect information. Legal Services providers manage highly sensitive information, but they often fail to conduct necessary vulnerability assessments of their web or Internet-exposed applications, while we’re entrusting them with ever more sensitive information.

Should you worry? The Panama Leaks in 2016 exposed confidential information of more than 200,000 organizations worldwide.

In another ironic twist, Data Hosting providers have been shown to be vulnerable. This group has the most stringent information security policies. However, 29% of them need to implement auditable processes for secure disposal or wiping of information, as they frequently reuse media across clients they must ensure client data is not recoverable. Many still lack a documented information security incident management process.

In the report we provide a lot more detail, including the security controls we judged and comparisons between third parties in different industries. We discuss best-in-class and worst-in-class supplier types, we help you identify the compliance gaps, and we provide you with the most important questions you need to ask your suppliers to ensure they’re taking care of your data.

Read The State of Digital Third-Party Risk 2016  to get all of the findings, and learn how to keep your data secure by securing your supplier and partner relationships.

Get "The State of Digital Third-Party Risk 2016" report