Reactive Third-Party Risk Planning is a Slippery Slope
An organization’s supply chain can change on a daily basis. Business partners need access to sensitive information to help a company achieve its goals, and vendors supplying critical components and services require APIs and network access. Some of these third parties may be long-term and trusted partners, while others may be relatively unknown and based across the world.
While it seems obvious that organizations need to up their games and plan proactively for third-party risk in their security programs, many organizations slip up by taking a reactive or ad hoc approach. In a 2019 study, the Ponemon Institute found that almost 1 in 5 organizations surveyed only review their third-party risk management programs after a third party has a security incident, and 23% had no schedule at all for reviewing their programs and policies. That means over 40% of organizations aren’t performing basic due diligence – on what many see as the greatest security vulnerability.
The lack of proactive planning can have costs. Irrespective of the attack vector, the responsibility for protecting sensitive information – and the consequences of a breach – remain with the owners of the information. Regulatory standards like HIPAA, GDPR, the California Consumer Privacy Act, and Section 5 of the FTC Act require the protection of sensitive information. This responsibility cannot be “outsourced” to a vendor – you can outsource the operation, but you can’t outsource the risk.