Third-Party Security Risks: Got Visibility?

Newsflash: we (collectively) are falling short when it comes to implementation of best practices pertaining to minimization and identification of third-party cybersecurity risks.
Summary by Fred Donovan in FierceITSecurity, original release by Protiviti and Shared Assessments.
Emphasis in red added by me.
Brian Wood, VP Marketing
——

Despite high-profile breaches, firms failing to address third-party risks

Companies are failing to address third-party security risks, despite some recent high-profile breaches that resulted from poor security at third-party vendors, such as the Target breach that exposed 40 million credit and debit card numbers and other information.
Firms lack mature vendor risk management practices and do not have resources, and staff, to address third-party risks, according to a survey of nearly 450 IT and risk management professional conducted by Shared Assessments Program and consulting firm Protiviti.
Many companies aren’t adequately or effectively protecting themselves from exposure to vendor outsourcing risks. This could result in their potential exposure to system compromise, fraudulent abuse of data and, in some cases, regulatory exposures and fines, which could have significant impact on their brands and reputations,” warns Rocco Grillo, managing director at Protiviti.
The vendor risk management areas that received the lowest marks from respondents were vendor risk identification and analysis, skills and expertise, and communication and information sharing.
The survey found that companies do not have processes for periodically reviewing the security of their vendors throughout their business relationships. In addition, firms are not investing resources to better manager vendor risk.
“The increased use of third parties could create a wider gap for risk managers that can only be addressed through closer attention to consistency in policies, procedures and governance. Failing to include the necessary components may result in vendor risks going undetected, with potentially devastating results,” concludes Catherine Allen, chairman and CEO of The Santa Fe Group, which manages the Shared Assessments Program.
http://www.fierceitsecurity.com/story/despite-high-profile-breaches-firms-failing-address-third-party-risks/2014-06-17
—–

Survey Reveals Significant Risk Gaps between Companies and Their Vendors, According to Study from Protiviti and Shared Assessments

SANTA FE, N.M. and MENLO PARK, Calif.– May 19, 2014 – Organizations are failing to adequately address information technology and security risks that emerge from outsourcing and partnering with third-party vendors, according to a new survey by Shared Assessments Program (http://SharedAssessments.org/) and global consulting firm Protiviti (www.protiviti.com) that examines organizations’ current vendor risk management programs.
Despite the extensive range of standards and regulations in the business environment today, and the need for increased vigilance due to highly publicized data breaches and cyber threats, the benchmarking study, titled 2014 Vendor Risk Management Benchmark Study (www.protiviti.com/vendor-risk), found that companies lack mature vendor risk management practices and do not have the necessary resources and staff to meet best practice standards.
“Managing the risks associated with outsourced services and vendor relationships is one of the many challenges facing organizations when it comes to data security,” said Rocco Grillo, a managing director with Protiviti and the firm’s global leader for incident response and forensic investigations. “Many companies aren’t adequately or effectively protecting themselves from exposure to vendor outsourcing risks. This could result in their potential exposure to system compromise, fraudulent abuse of data and, in some cases, regulatory exposures and fines, which could have significant impact on their brands and reputations.”
Nearly 450 IT and risk management professionals rated their organizations on the Vendor Risk Management Maturity Model (VRMMM), a best practice tool from Shared Assessments that measures the quality and maturity of an existing risk management program. Respondents scored more than 100 characteristics about their organizations’ vendor risk management strategies on a maturity scale of 1 to 5 (lowest to highest) across eight categories (average scores shown below):

  • Program Governance (2.9)
  • Policies, Standards and Procedures (2.9)
  • Contracts (3.0)
  • Vendor Risk Identification and Analysis (2.7)
  • Skills and Expertise (2.3)
  • Communication and Information Sharing (2.6)
  • Tools, Measurement and Analysis (2.4)
  • Monitoring and Review (2.9)

“While the needs to manage vendor risk vary by specific company profile and needs, we found that organizations are still falling short of best practice recommendations,” said Catherine Allen, chairman and CEO of The Santa Fe Group, which manages the Shared Assessments Program. “The increased use of third parties could create a wider gap for risk managers that can only be addressed through closer attention to consistency in policies, procedures and governance. Failing to include the necessary components may result in vendor risks going undetected, with potentially devastating results.”
Key Findings from the Survey

  • Financial Services Organizations Outperform Other Industries.  Although all companies had ratings that were below the desired range, the financial services industry had more mature risk management programs across key categories than other sectors. This is largely driven by stricter guidelines for companies in the sector and by the highly regulated nature of the industry.
  • Lackluster Procedures for Assessing Vendors. Organizations fail to have mature processes in place for reviewing vendors periodically through the course of an engagement, as well as for establishing criteria and process around the end of a vendor relationship. Given the potential risk involved with third parties, companies should have stronger policies and guidelines to ensure they are protected at the beginning of an engagement, through the course of the relationship via ongoing risk reviews, and during the exit process.
  • A Need for Training, Staffing and Resources. Companies don’t spend enough time assessing their own skill sets and deficiencies in terms of vendor risk management – nor are they proactive about training and improving areas where employees’ knowledge is inadequate. The overall investment in resources to better manage vendor risk is below average for most companies.

Resources Available to Learn More
To download a complimentary copy of the survey report, 2014 Vendor Risk Management Benchmark Study, please visit: www.protiviti.com/vendor-risk. The site also hosts an infographic of the survey’s highlights and a benchmarking tool to compare the user’s results to the survey respondents’ results.
http://www.fierceitsecurity.com/press-releases/survey-reveals-significant-risk-gaps-between-companies-and-their-vendors-ac