Third Party Risk Management

Abstract

Every organization relies upon third party vendors for a multitude of business operations. Despite the requirements to rely upon third party vendors, only 52% of organizations have security standards for third party vendors (Matis, 2019, para. 2). Furthermore, a study surveying 608 information technology (IT) professionals indicated that 69% of the respondents either definitely suffered a security breach or possibly suffered a security breach due to vendor access within the year (Bomgar, 2019, p. 2). Finally, a staggering 94.3% of executives possess low to moderate confidence in their third-party risk management tools and technology (Deloitte, 2018, para. 3). These statistics are the direct result of complex business relationships, dynamic information technology exchanges, and a lack of awareness outside of those directly working within the information technology realm. Additionally, the lack of information technology personnel who aspire to upper echelons of business management contribute to the overall risk factors. \n \nIn June of 2018, Universal Music Group became aware of a massive data breach that exposed file transfer protocol credentials, Amazon Web Services cryptographic keys, and internal passwords due to improper handling of a third-party cloud storage provider. The technical aspects of the breach reveal that a contractor working at the cloud storage provider administered an apache airflow server without password requirements (Cimpanu, 2018, para. 3). The damage has yet to be quantified and it is unclear how many customers this data breach has affected (Cyber GRX, 2019, para. 7). What the data breach represents is something far greater than another data breach amongst many but rather how devastating the effects a single lackadaisical contractor can have for an organization. The Target data breach is a similar example with many more secondary and tertiary effects caused by a single heating, venting, and air conditioning contractor. \n \nRisk is generally dealt with through the use of transferring, accepting, avoiding and mitigating (Cannon, 2014, p. 48). Risk transference is the most popular method of handling risk and results in the use of many third-party vendors for organizations (ISACA, 2016, p. 113). When opting to use third party vendors, an organization is choosing to transfer risk due to the inability or lack of feasibility for conducting the action on their own. Across the cyber domain, many organizations opt to place their data in cloud storage as this is scalable and affordable. However, cloud solutions are just as vulnerable to exploitation as an on-premises datacenter (Muncaster, 2019, para. 3). Perhaps the issue rests in the lack of education on vendor risk management. Cyber insurance is another method of transferring risk as the cost of the average data breach continues to grow each year. This paper will aim to underscore the importance of vendor risk management and options organizations have to address such risks.