As your organization grows and adds new vendors, certain processes that used to work for your Information Security and IT teams may begin to stretch and break. For instance, if your team has been gathering vendor information and conducting vendor assessments manually, then it’s only a matter of time until the volume of new vendors is too much to handle in an appropriate amount of time, or worse, new tools and solutions begin to slip through the cracks without proper oversight. After all, the rate of SaaS adoption is exploding in organizations, for lack of a better term. A recent Ponemon Institute study explains:
“One of the leading risks companies face when defending against cyberattacks are those brought on by their third party ecosystem. In fact, 56% of companies surveyed by Ponemon experienced a data breach caused by a third party, a seven percent increase from 2016. The survey also found that 42% of companies experienced cyberattacks against third parties that resulted in the misuse of their company’s sensitive or confidential information, an 8% increase from 2016. Three-quarters of organizations said they believed the total number of cyber security incidents involving third parties are ‘increasing’.”
In a future blog post, we’ll address the final step in our series of raising awareness with your leadership team that we outlined in our latest ebook, “Why Third Party Security is Critically Important”. But today, we’ll address the challenge described above in Part 4 of the series, “Build An Ongoing Process to Gather Vendor Information and Data Access”. Did you miss Parts 1, 2, or 3? Check all of them out on the Whistic blog.
Overseeing The Purchasing Process
Every single time a new software is purchased, the Information Security team should be involved in the procurement process — no exceptions. While it may seem like a waste of time to dedicate resources to oversee even the smallest new purchase, keep in mind that it takes a single incident for the entire organization (along with customers, prospects, and partners) to be exposed to an outside threat.
For example sake, let’s say that your marketing team is evaluating a new email signature tool which costs about $2/user/month. Does it even warrant having your Information Security team involved when there are other far more expensive decisions on the table that impact more than a handful of marketing specialists and sales reps? A thousand times, YES. If that seemingly harmless email signature tool has a security flaw, it could expose your entire organization — along with anyone else that receives an email from those marketing and sales reps — to significant risk. It’s simply not worth overlooking seemingly small purchases as they can pose just as much of a threat as solutions that are used enterprise-wide or cost 10x as much. What you should really be focused on is not necessarily the dollar value of the vendor contract, but what type of data and how much data the vendor will have access to, as well as what key systems the vendor will be granted access to.
Make Sure Information Security Is Aware of Purchases Early In The Buying Process
In order for your Information Security team to be seen as an ally and not an enemy in the procurement process, it’s critical that they are involved from the very start. After all, what’s worse than getting all the way to the contract phase of an agreement only to be told “No” or “Wait” by a single department that hasn’t had visibility into all of the conversations up to that point? It’s frustrating to say the least, which is why it’s best to create a process where the Information Security team is involved from the start in order to help support the purchasing process, rather than be seen as a negative force. In order to avoid this, gather the Procurement and business unit leadership together to discuss how the Information Security team can become aware of new purchases earlier on in the buying process.
Conduct An Initial Analysis of Inherent Risk
The employee or department that would like to begin the purchasing process for a software typically has (or can easily get) any information the Information Security team needs in order to conduct an initial analysis of inherent risk and the level of assessment needed. While we’ve covered this in earlier posts, it’s worth briefly revisiting the topic. As we covered in Part 2, each vendor brings with it an inherent level of risk — some may just present a greater risk than others.
Because of the severity of cybersecurity threats, one of the most important things that organizations can do to prepare for and minimize risk is to first have a thorough understanding of what sensitive information or applications third party vendors have access to. Once the inherent risk is understood, then the Information Security team can identify the level of vendor assessment needed and adjust the process moving forward accordingly.
The initial analysis can help to prevent the leaky-bucket syndrome where it’s simply impossible to catch up to the growing list of vendors that need assessments — regardless of how hard the team works.
Select a Central Repository For All Security-Related Data
Finally, what’s the point of conducting analysis and categorizing vendors by their inherent level of risk if the information itself isn’t stored in a secure, central repository? Your Information Security team knows better than anyone that data without a home is absolutely useless. That’s why it’s important to make sure you select a central repository where all of the security-related data from previous assessments can be stored and easily accessed when it’s time for the next assessment.
Ready to Learn More?
Check out our resources below for more third party vendor best practices and insights on how your organization can effectively approach security assessments.
Why Third Party Security is Critically Important
Request a Live Demo with a Whistic Product Specialist