Sharing information with dozens, hundreds, or thousands of vendors and other third parties means just as many opportunities to have information leaked or stolen. The volume and variety of vendor contracts also make it that the cost of attempting to pin responsibility on all vendors for the same information security requirements would be impractically huge. Ericka Chickowski writes about how vendor management executives must start working with IT risk managers if they are to address this security concerns in a doable way.
According to the Ponemon Institute, 42% of breaches are the result of third-party mistakes. Cyber criminals have realized that if they want to infiltrate banks or big pharmaceutical companies, it is much easier to walk in through the flimsy doors of the third-party vendors who have a link to IT infrastructure rather than attempt to break down the walls of the big companies themselves. In spite of agreements made or contracts signed, there is only so much a vendor can really be expected to do legally to protect your enterprise’s information. There is an example given of a pharmaceutical company that worked with 14,000 vendors, 11,000 of which captured data considered sensitive or confidential, though there were no special protocols set in place for these vendors. The Information Security Forum (ISF) has worked to codify a process by which the most risky suppliers are identified and prioritized for consideration, based upon a variety of factors. ISF’s CEO Michael de Crespigny elaborates:
“Around those we came up with a method that helps them think about how they follow the information on a contract-by-contract basis and identifying individual contracts they should be focusing on to impose particular information security requirements,” he says, explaining that it boils down to establishing within the supply chain the risk management fundamentals of assessing risks so that it's easiest to address the biggest risks first. “What you need to do is to do it according to where the risk lies so you get really deep assurance where you need it, and you impose very light requirements where the risk and the consequence is not so great.” According to Ponemon, not only is it important to flag riskier vendors by the type of shared information they are entrusted with, but also by their geographic location.
Enterprises need to devise better security requirements and purchase contracts. Information security must come hand in hand with procurement or else the pieces will not click. It is easy to see then how risk management applies to this situation, in that IT risk managers are always scanning for potential problems before they occur. In the case of vendors, it is about designing better overarching principles by which to interact with them and mitigate the potential for leaks and theft. Cyber criminals are a crafty bunch, but that does not mean throwing up your hands and saying nothing can be done to prevent it. Risk management needs to be that shining knight for enterprise procurement, riding up on a horse and lancing a cyber criminal right in the gut, figuratively or literally.