Data breaches don’t build trust, but many companies are skeptical of the parties with which they share their data. In an independent study, the research think tank Ponemon Institute surveyed
nearly 600 individuals who work U.S. organizations with a vendor data risk management program. The study revealed that many companies have difficult in mitigating, detecting, and minimizing risks from their third parties that have access to their sensitive or confidential information.
When it comes to data breaches, organizations aren’t sure if their third party suffered a data breach. About half responded that they know their organization was the victim of a data breach caused by one of their vendors. The uncertainty grows even higher when it comes down to a data breach caused by a cyberattack. Approximately one third of organizations were unsure if they had a cyberattack as a result of misuse of sensitive information. The reason why some organizations don’t have faith in their vendors is that they find it difficult to detect and manage risks associated with third parties because of lack of resources.
Companies don’t know who has access to their confidential data:
This problem could be easily solved by having an inventory of all third-party vendors. However, in this survey, few companies were trying to address the risk. 60 percent of respondents were unsure if their company had such an inventory.
Fortunately, 33 percent do have such an inventory, but 18 percent of these organizations only have a comprehensive list of all possible vendors with access to sensitive or confidential information. When asked why they don’t have a list, 63 percent of respondents stated that they didn’t have an inventory because there was no centralized control over third-party relationships. Other reasons were a lack of resources, complex relationships, and frequent turnover in third parties.
Evaluating third parties:
When it comes to initiating a business agreement that involves the sharing of sensitive information, only 38 percent of organizations conduct an evaluation. When they do conduct an evaluation, its primary purpose is to acquire signatures on contracts that legally obligate third parties to adhere to security procedures, or review written policies. Very rarely does the evaluation consist of an audit of the vendor’s security and privacy practices or obtaining indemnification in case of a data breach.
Despite the number of data breaches in the U.S. that have received considerable media attention, organizations aren’t confident that they have the resources to respond to a breach. The reason given is that they simply don’t have sufficient resources to conduct an audit with their third-party vendors. This will have to change as companies understand that managing data risk isn’t just a matter of compliance, but a strategic business challenge. A risk management assessment, a data security program, and due diligence are all good starting points. Source: Ponemon Institute