How to Determine the Most Effective Third-Party Risk Management Strategy for Your Company

There are many best practices for avoiding a third-party data breach, but where do you start?

If third-party data breaches were once a little-known risk for companies doing business online, they shouldn’t be anymore. A growing number of major companies are making headlines as a result of data breaches caused by third parties, most recently, Hyatt Hotels and Domino’s and Pizza Hut.

Though companies are aware of the risk of sharing sensitive information with third parties, they still do so, not out of negligence, but because they lack the resources and know-how to establish a thorough third-party risk management program. Research shows, however, that doing so is one of the most effective ways to protect against a third-party data breach.

Here’s how to determine the most effective third-party risk management strategy for your company based on the Opus-sponsored 2017 Data Risk in the Third Party Ecosystem Study from the Ponemon Institute.

Make Third-Party Risk Management a Business Priority

Companies are increasingly outsourcing to third parties to enhance their service offerings, increase their capacity, and spur business growth. All good things, but it opens companies up to new information security concerns as outsourcing can mean sharing sensitive data with outside parties. To effectively scale using third parties and keep information secure from a third-party data breach, companies need to make third-party risk management a business priority. This means devoting more resources, monetary and personnel, to developing a third-party risk management program suited to the company’s needs.

Create a Dedicated Third-Party Risk Management Team

Once a company recognizes the need for comprehensive third-party risk management, the next step is to develop a team to focus on building the most effective third-party risk management program for the organization. Having a cross-functional team whose job it is to monitor and understand third-parties’ information security policies is a crucial for having an ongoing way to determine the best way to mitigate third-party risk. Companies that form a dedicated third-party risk management committee are 15% less likely to suffer a data breach.

This team is also the go-to source of information on third-party risk for senior leadership and the board of directors and should regularly report to the leadership on the effectiveness of third-party risk management programs. High-level collaboration can increase budget and encourage creation of a risk management program well-suited to the company’s needs. In fact, companies with strong board of director-level oversight and involvement are 10% less likely to suffer a data breach.

Know Who All of Your Third Parties Are and What Information is Shared

To determine the best way to manage third-party risk, companies need to know who their third parties are and what information is being shared with each one. It’s impossible to effectively manage all sources of risk without identifying each third party and their access to sensitive data. By having a complete, up-to date, and real-time inventory of all third-parties, companies can determine best practices for managing each third party based on their risk and steps to take if risk levels change or new concerns arise.

With a comprehensive inventory of all third-parties, companies can keep track of documentation, like contractual agreements, and workflows, including audits and assessments to evaluate the security and privacy practices of third parties. Establishing visibility into third-parties provides data on how best to manage each and reduces the likelihood of a data breach: companies that take an inventory of all third-parties with whom they share information are 19% less likely to suffer a data breach than those who don’t.

Understand the Implications of Nth Party Risk

Third parties are not the final layer of risk for companies. Nth parties are suppliers or partners employed by a company’s third parties who often come into contact with sensitive information. To develop an effective risk management program, companies need to understand that Nth parties exist and bring new risk requiring security practices to manage them. Companies that maintain visibility into third or Nth parties that they do business with, but don’t have direct relationships with, are also 15% less likely to suffer a data breach. One way to do so is to make sure vendor contracts require third-parties to share information about their own third-party relationships with whom they will share sensitive information.

Third-party data breaches are up 7% over last year, with 56% of respondents reporting a data breach as a result of a third-party vendor in the 2017 Data Risk in the Third Party Ecosystem Study from the Ponemon Institute. As a result, creating a formal process for regularly reviewing third-parties’ security and privacy practices is necessary to proactively prevent a data breach.

Developing a tailored third-party management program, is crucial as the costs and frequency of third-party data breaches grow. Automation and other techniques can help.

Get started developing a program for your company. Download the 5 Tips to Reduce the Likelihood of a Third-Party Data Breach infographic from Opus.

Dov Goldman
Dov Goldman
VP, Innovation and Alliances