Softtek’s 2016 State of Digital Third-Party Risk report provides companies with an eye-opening conclusion: you need to be a lot more careful before you trust your third-party providers.
Your organization is increasingly trusting and sharing information with a broader set of suppliers that consume your information in ways not thought possible a few years ago. You are using systems everywhere you look to automate work and achieve company goals. The Internet of things, the massive explosion of new social media sites, the growing federation of data to improve marketing and sales, the shift to industry 4.0 and Brilliant Manufacturing are just some of the factors driving this explosive growth.
The current report is based on a sample size of 1,236 assessments across suppliers from SMEs to larger suppliers with over $50B in revenue, and stem from a set of 286 controls aligned with ISO 27001, organized across 14 security domains.
In other words, a lot of research went into deriving the report's findings. I had a chance to speak with the report authors about their conclusions.
3rd-Party Risk Assumptions You Can Implement Right Now
And just how can you leverage these 1,236 assessments that summarized in the report for your own organization’s third-party security situation? For one, you don’t have to start from scratch in your own audit.
Federico Ferreres, co-author of the report, said, "One of the lightbulb moments we had when drafting the report and looking at the patterns that emerged across these assessments was that there is a common set of top three findings or vulnerabilities found in organizations industry-wide."
In other words, before starting your own audit and third-party risk evaluation, you should at least verify that the top two or top three vulnerabilities are not present in your vendor and partnership relationships.
What are the top three security concerns? The report findings show that they are:
- Lack of audited method to securely dispose media or equipment storing client data
- Lack of internal/external IT audit or information security risk assessment
- Data not encrypted in storage
The Risk of 4th Parties
And if third-party risk wasn’t enough, there’s a new supplier risk rearing its scary head: fourth-party risk.
What is fourth-party risk? This is your third party’s third party. Say, for example, you hire a consulting company to help you build new mobile application capabilities. This consulting company may sub-contract out some of its work to another organization in Bangladesh or Belize. If you think covering the data risk of your mobile application developer is tough, try managing the data risk potential of the sub-contractor.
Leo Navarro, co-author of the report, told me:
“More organizations are now looking into “fourth-party risk," because they know that third parties rely heavily on information flowing to and from them, and they lack a way to control how these fourth parties secure that data. It’s important for us to remember that the chain is only as strong as its weakest link.”
Starting Your Audit
So before starting your third-party risk audit from scratch, take to heart these two take-aways:
- Get a head start on your audit by assuming your third parties will have the same top two or three risks published in the Softtek report. Then, verify by testing for this assumption. Navarro told me this was a good starting point as a way to get you into high gear. However, don’t just stop there.
- In addition to the other areas you should audit for, check your fourth-party risk. What are your third party’s third parties doing with their data? How are they securing the information coming into and out of your organization?
For more details, get a copy of the report here, and happy auditing!
