What your suppliers aren’t telling you (and why you should worry)
In a multi-partner service delivery model, transparency and visibility are essential to an effective security and supplier risk management (SRM) strategy. Yet a wide range of evidence suggests that this transparency is sorely lacking in many cases.
According to a study by the independent Ponemon Institute, 73 per cent of suppliers that experience a data breach don’t notify other vendors in the supply chain, while more than a third (37 per cent) of suppliers don’t notify their customers.
Lack of transparency and communication is one of a number of fundamental flaws characterising the security postures of global enterprises. Consider oversight; specifically, the question of who assumes responsibility and accountability. Because SRM has such far-reaching business impact and has so many touch points within the enterprise, defining where precisely ownership should reside can present a challenge. Indeed, SRM leadership can be assigned variously to the IT, IT security, procurement, finance and risk management functions. While involvement of multiple functions is essential, what’s troubling is that Ponemon found that 21 per cent of organisations have no single function assigned to lead supplier risk oversight – potentially resulting in diffusion of accountability and increased likelihood of serious flaws falling through the cracks.
Security audits are another area of concern. For one thing, many enterprises tend to conduct audits based on a schedule, rather than in response to a heightened level of risk either in the internal or external environment. Moreover, businesses that conduct security audits often lack the documentation needed to validate the audit process and satisfy inquiries from regulatory bodies. A related problem – assuming that conducting a supplier audit will address risks; in fact, exposing flaws does not equate with addressing them.
Recent research by Softtek sheds additional light on the problem, focusing on the state of supplier capabilities to support SRM. We analysed the risk management and security practices of more than 1000 global suppliers, evaluating key processes and more than 200 separate control metrics in areas such as encryption, cryptography, physical and environmental security, access control and incident management.
Of the suppliers we assessed, roughly half can’t be trusted to securely dispose of customer information, haven’t audited their security programs during the past 12 months and do not encrypt data at the storage level. More than a quarter, meanwhile, have no process in place to manage identity or revoke access rights (a critical potential source of breaches).
The problem of ineffective SRM seems to be getting worse; our analysis found that suppliers failed 9 per cent more controls in 2015 than they had in 2014. And given the current tsunami-like proliferation of users and data, and of mobile, IoT, connected and wearable devices, prospects for reversing the downward trend appear slim.
So, what is to be done? For enterprises seeking to improve their SRM capabilities, defining priorities and establishing specific tasks, milestones and responsibilities is imperative. Over the short term (30 to 60 days), organisations should identify the third parties that potentially represent the most critical risk in terms of access to, say, financial or customer data. Because large, global organisations typically have hundreds of suppliers, subjecting every single one to the same level of scrutiny isn’t viable. That said, while major suppliers accessing proprietary data are obvious priorities, small and seemingly innocuous suppliers can pose significant risk.
Once key suppliers are identified, an assessment exercise can define a list of top ten findings around potential vulnerabilities. That list of findings, in turn, can inform the next audit cycle as well as the development of a set of metrics to support a benchmarking program of third parties.
Over the medium term of six months or so, metrics and benchmarking results can be used to create internal awareness among the myriad stakeholders involved in supplier risk. Relatedly, the internal procurement process should be evaluated to more closely track the potential for cyber risk throughout the chain of service delivery. Contractual security requirements around liability and fourth parties should be added to prevent new threats from encroaching into the supplier ecosystem. And, as new third parties are added to the mix, due diligence should be applied to assess cybersecurity risk and maturity levels.
Long-term supplier risk strategies can be a bit problematic, since the pace of at which technology is changing and new threats emerging is so rapid. In other words, today’s long-term strategy will be obsolete a year from now. That said, refining communication processes around security incidents can ensure that new threats are identified as they emerge and before they do damage. Continuous process validation and verification can further enhance flexibility and responsiveness. Finally, a commitment to continuous improvement of the lifecycle of third-party risk management can help businesses stay one step ahead of a constantly evolving risk environment.
About the Author
Leo Navarro is Information Security Global Practice VP & Offering Manager for Softtek, a global provider of process-based IT solutions. Leo has more than 15 years of experience in IT, risk management, security, software development, quality assurance and IT operations.