As companies strive to strengthen their organizations through the outsourcing of products and services, close attention must also be paid to the additional risk implications of these practices. One issue emblematic of these additional risks is the increasingly common practice of subcontracting by outsourced vendors, which creates the opportunity for vastly increased risks, especially with the third and fourth order of outsourcing beginning to occur in today’s business ecosystem. This practice has led to a growing trend of hackers using techniques that target a vendor to gain access to a higher tier of information from their customers. Such a breach almost always directly affects the reputation of the company (as opposed to the vendor) in both the public eye and in the eye of regulators.
In today’s climate, decision-makers must apply the same risk analysis to their third party service providers that they use in their own IT environment to protect against outside threats. Assume a breach at a third party service provider is inevitable and respond proactively. While this may seem obvious, many naturally trust their internal IT staff and Risk Committee assessments. But, in reality, over 75% of all companies breached have to be told they have an “Advanced Persistent Threat” on their network by outside sources, such as third party benchmarking study contractors or law enforcement.
In addition to the monitoring of key vendors and timely follow through, banks can and should create a culture of opportunity for their staff at all levels, from the Board through senior executives to on-the-ground IT and Operations staff members. This requires a coordinated campaign of education targeted toward the increased threats that occur during such vendor events as geographic diversification, merger, acquisition, management changes and/or subcontracting. Such a campaign must clearly:
- Demonstrate the financial value of data, not just in its use as an economic tool, but also as a means of establishing public and regulatory trust so essential to future marketplace growth.
- Convey the specific and serious nature of the risks that multiple layers of vendors present and how to recognize them.
- Motivate and provide staff with the tools to proactively search for and act upon threats.
Dedicating resources to create this culture of opportunity that both educates staff and protects data is not as costly as may be assumed and the return on investment in these resources in the form of goodwill can more than compensate organizations for their efforts.
Santa Fe Group Consultant and Shared Assessments Program Director, Brad Keller, has more than 25 years of experience developing and leading risk management and third-party risk assessment programs. Brad is responsible for the development of the Shared Assessments Program’s Tools and key partnerships.