Source:- LinkedIn, Author Jason James
Over the past 10 years, the Verizon Data Breach Investigations Report has identified more than 8,000 data breaches and a whopping 195,000 security incidents. When you do the math, that’s an average of about 15 breaches and 375 incidents per week. And considering 2,100 data breaches occurred in in 2014 alone, the situation is getting worse, not better …
Risk professionals know all too well about the threats that loom, not only in terms of the damage today’s data breaches can wreak on companies, but also the swath of negative press they can result in. The situation seems to amplify when a third party is responsible for a security incident or data compromise. Nothing is more frustrating than a company going to great lengths to mitigate internal risk and minimize threats, only to have a careless vendor cause a breach that ends up costing millions.
In this current threat environment, a robust vendor risk management strategy is crucial. Here are four risk management tips that can help in the battle to prevent data breaches:
Not every vendor is created equal. Some can be safely ignored because they pose little or no risk. Others are so vital to your company’s success and/or are so inherently risky that they need more of your attention. Often, these key vendors—particularly ones handling sensitive IT or customer data—will require more frequent risk assessments. However, you likely do not have unlimited resources to screen every supplier in your portfolio. Therefore, determining what vendors are key, as well as how often these essential contractors should be assessed, is among the most important risk management tips you can follow.
Most risk staffs are constantly pressed for time. If hours or days are needed just to compile assessment data into some sort of usable analysis, they won’t be able to maximize the number of vendors they will be able to screen. And if the one vendor that was next on your list to assess but you didn’t have time for turns out to be the one that suffers a data breach … well, your co-workers will understand when they see you banging your head against a desk. Many automated vendor risk management solutions are incorporating advanced risk scoring into their platforms, thus streamlining the analysis process while providing a richer set of data. These metrics allow risk staffs to make quicker, more qualified decisions.
Assessing today’s vendors with yesterday’s risk intelligence is a recipe for disaster. After all, a three-year-old spreadsheet-based screening template won’t include questions on how an IT supplier protects against a virus that was just introduced last year. Avoiding this quandary is as straightforward as keeping your assessments current, but again, risk staffs often don’t have time to track every little threat that emerges and should find its way onto the questionnaires sent to third parties. Today’s vendor risk management software does all this work for you so that you can be confident the assessments your suppliers are answering are as updated as possible.
Remediation may seem an unlikely inclusion among risk management tips, but taking action after a completed assessment is received is an important part of the vendor risk management process. If you have the data from the screening, then make some decisions on your next steps. Even if you determine you can live with the level of risk a vendor presents, you are still forming a strategy, which is a step up from perusing the risk scores and hoping a supplier figures out how to solve its own problems. A proactive remediation plan may take on various forms, but its ultimate goal is to reduce the chance of a data breach or other negative event that will adversely affect your company.