Ever heard of Fazio Mechanical Services, a small Pennsylvania company that installs supermarket refrigeration systems in the Midwest? If you don’t know the company, you should. It’s the contractor that provided an entry point for hackers to steal credit card information from more than 40 million Target shoppers in one of the most devastating data security breaches ever seen.
As more companies rely on outsiders for services–everything from janitorial work to cloud computing–the risks these third parties pose to sensitive data are growing exponentially.
In a recent survey of IT professionals, 71 percent said they expected to increase their relationships with third-party providers over the next two years. At the same time, 92 percent reported a high level of trust with their vendors, which is troublesome since an increasing number of data breaches are happening through third-party vendors. As Benjamin Lawsky, New York's top financial regulator said following a devastating cyberattack against JP Morgan Chase, "a firm’s level of cybersecurity is only as good as the cybersecurity of its vendors.” That's why third-party risk has become a top priority for many companies–and if it's not already on your list of concerns, it should be.
And like in the case of Fazio Mechanical Systems, companies never know where risks may lurk. FMS was a minor contractor that only worked for Target in a limited number of states. Nevertheless, it exchanged data with the company through its billing and contract management system, giving attackers the opening they needed. Where hackers once tried to infiltrate systems through the front door, they’ve now learned to attack companies wherever their data is at its most vulnerable.
You may think your company is covered from third-party risks by supplier contracts requiring vendors to protect data and comply with any applicable laws. But take a closer look. In most cases, there’s no clear explanation of how vendors will protect your company’s data or specific requirements and expectations about how they will handle and store your data.
Rather than simply relying on these third-party contracts, it’s critical for companies to establish a system of high-quality custodial care for any sensitive information, no matter where it goes and who has access to it.
Assessment and inventory
The best place to start is by assembling a cross-functional team (not just the IT department) to figure out what data is most important to your organization and what risks that data poses. For example, companies can go through and identify certain types of data like patient health information (PHI) or personally identifiable (PI) information, both of which have a number of regulatory and compliance requirements around them. That type of data requires far more vigorous protection than less critical data.
Once an organization completes a full data assessment, it should trace where that data lives. Where is it internally, and which outside systems does it touch? And don’t just find out where it is today. It’s important to track your data from cradle to grave and figure out who shares it at any point along the continuum. In the process of doing that, you’ll identify many of your vendors. Yet, to get an even more comprehensive inventory, you’ll want to cross check your results with a master list of third parties working with your company.
These assessment and inventory processes can be very revealing. More than likely, you’ll end up discovering important things about your vendors that you didn’t know previously. You may not realize, for example, that a third party is sharing your company’s data with two other outside vendors.
Tiers of controls
The next step in developing a robust system to govern these data safeguards involves classifying what kinds of controls your organization would like to have in place given the third-party relationships you’ve identified. An external group that serves as a custodian of a company’s data, but has no direct access to its IT systems, might constitute one level of risk. Another group that has a direct connection and can interact with a company’s data would represent a different level of risk. Or maybe there’s a vendor with no electronic access to a company’s data, which would represent another level of risk.
The key point is that companies need to develop a process to classify the risk associated with each of those vendor relationships, offering different tiers of controls and safeguards that you would then roll out to third-parties based on those risk classifications.
A vendor with a high-risk classification might compel you to conduct an on-site assessment of its security program. You may even need to re-write your contract to spell out exactly what kinds of controls the third-party needs to have in place. But then those with a lower risk classification may simply have to complete an annual questionnaire. Or maybe some don’t require any additional scrutiny at all.
While every company has unique needs and unique data, a lot of the process of developing a system to manage third party risk is pretty straightforward. But it’s not an activity that happens at a single moment in time. It should be an ongoing, self-sustaining process. That means doing things like requiring periodic testing and follow-ups. It also means that companies need to build good controls into their business processes, like purchasing, so it can immediately recognize new vendors and fit them into its risk classification system. In turn, that will quickly and easily help guide companies to manage third parties appropriately.
Developing this kind of visibility about vendors can also help when it comes to compliance issues. Typically, legal departments stay abreast of major federal changes, but state-by-state requirements can be hard to keep up with–and these can apply not only when a company operates in a particular state, but even if they hold data from a state resident.
What’s most important in developing any good third-party risk management system is to create a standard methodology that’s consistent and transparent across the organization. It’s one thing to develop a high level of rigorous protection that’s often hard for companies to maintain. It’s far more effective to establish a standard set of protocols based on risk classifications that can help keep your current third parties in check, while quickly and easily managing new ones.