Businesses of all sizes are outsourcing more of their operations than ever. The global market for outsourcing and shared services, estimated at $36.85 billion in 2019, is expected to exceed $100 billion by 2027. And more than 80% of small businesses plan to outsource some of their key business functions by the end of 2021. Relying on third-party partners and service providers brings many benefits. It can enhance business capabilities by providing access to best-of-breed products and solutions as well as scarce talent in a way that’s cost-effective and right-sized for current needs.
However, if business relationships are entered into without appropriate risk consideration and due diligence, outsourcing can create significant cybersecurity risks. According to research conducted by Deloitte, 83% of organizations experienced a third-party incident between 2016 and 2019. Because more organizations are leveraging third-party relationships to meet strategic objectives in the wake of the global COVID-19 pandemic, that number is likely to see further growth.
Third-Party Risk is Behind Many Breaches that Make Headlines
Some of the best-known breaches in cybersecurity came about because of third-party risk.
Recently, high-profile events like the SolarWinds and Kaseya software supply chain-based attacks have drawn attention to the risks that today’s highly interdependent and interconnected business computing ecosystems can pose. Such incidents have vaulted the need for effective third-party risk management (TPRM) into the public eye, which means that there’s now more awareness that this is simply sound, and expected, business practice.
Increasingly, regulators are also requiring organizations to formally evaluate risks that may reside within their partnership networks and supply chains. The Cybersecurity Maturity Model Certification (CMMC), for instance, now obligates all companies serving the Defense Industrial Base to undergo a third-party risk evaluation. It’s likely that these sorts of standards will become increasingly common in the coming years, which will motivate more companies to accomplish effective TPRM on a consistent and ongoing basis.
Third-Party Risk Management Challenges
Managing third-party risk effectively isn’t an easy task. It’s challenging to gain adequate visibility into another organization’s operating environment and internal practices; often limited to answers to security questions or perhaps a third-party report which may or may not cover off on the risks that are in play.
Not all business relationships are the same: those that are embedded into business-critical transaction flows, or involve access to sensitive data, warrant closer scrutiny than relationships that pose less operational risk. No questionnaire — even if it’s several hundred questions long — can surface enough information about potential weaknesses that could harm your organization. An experienced TPRM assessor who possesses institutional knowledge of your organization should know where, when, and how to dig deeper.
Organizational missteps can occur, too. It’s not uncommon for a product or service to be procured without a security review. Once entered into a contract, you have far less leverage when it comes to getting action and attention towards remediating security issues that don’t meet your business requirements. Creating a standardized procurement workflow, ideally system based, which requires security vetting at the right time is the most reliable way to prevent entering into a relationship with an insecure third-party.
Best Practices for Improving Third-Party Risk Management
With a well-designed TPRM program, you’ll be able to accurately identify the risks to data security and business operations that your outsourcing relationships may introduce. An effective program will identify issues, prioritize them, find acceptable solutions, and track remediation efforts through to completion.
- It’s important to communicate clearly with your current and prospective business partners and vendors. Let them know that undergoing a TPRM assessment is going to become a requirement for doing business with you. Including stipulations within future contracts that you enter into can solidify partners’ understanding of your expectations.
- Keep the focus on areas that truly matter to your business, and work to find acceptable measures to address the risk exposure. You’ll never be able to see every issue deep inside every organization that you work with — instead, focus on the ones that are most likely to cause you significant harm.
- Pay attention to risk culture. A lot can be gleaned from how the other party views the TPRM process and risk management in general. Companies that don’t place a value on it tend to be evasive, dismissive, incomplete with answers, and minimize risk exposure concerns. Mature, like-minded organizations are helpful, proactive, prepared, and responsive to legitimate concerns.
- Leveraging a vendor risk management software solution will give you a single, centralized place where you can go to visualize processes and see relevant risk data in aggregate.
If you’re interested in learning more about how BTB Security’s highly effective, scalable TPRM practice could help your organization better manage third-party risk without needing to invest in obtaining the internal expertise to run a mature TPRM program, get in touch with a member of our team of experts today or check out our overview.