Organizations are failing to adequately address information technology and security risks that emerge from outsourcing and partnering with third-party vendors, according to a new study by Shared Assessments Program and global consulting firm Protiviti.
The 2014 Vendor Risk Management Benchmark Study examines organizations' current vendor risk management programs. It warns that sophisticated networks of criminals are penetrating databases in new complex methods, putting systems that maintain high-value data such as personal identifiable information or operational and systems data at high risk for breach.
Third-party service providers that warehouse terabytes of high-value data have become the latest target, the weakest link in risk management strategy.
The study reveals serious vulnerabilities and security risks to organizations that emerge from outsourcing and partnering with third-party vendors. The study examines the maturity of organizations' current vendor risk management programs and finds significant risk gaps between companies and their vendors.
The study found that companies lack mature vendor risk management practices and do not have the necessary resources and staff to meet best practice standards. It emphasises that the vendor management landscape needs to move from risk management to risk assurance. Shared Assessments, a company that provides risk management tools including the Vendor Risk Management Maturity Model (VRMMM), asked top industry experts to comment on risk management trends, best practices, and prevention strategies to manage the risks associated with third-party service providers.
"While the needs to manage vendor risk vary by specific company profile and needs, we found that organizations are still falling short of best practice recommendations," said Catherine Allen, chairman and CEO of The Santa Fe Group, which manages the Shared Assessments Program. "The increased use of third parties could create a wider gap for risk managers that can only be addressed through closer attention to consistency in policies, procedures and governance. Failing to include the necessary components may result in vendor risks going undetected, with potentially devastating results.”
Rocco Grillo, a managing director with Protiviti and the firm's global leader for incident response and forensic investigations, said that managing the risks associated with outsourced services and vendor relationships is one of the many challenges facing organizations when it comes to data security.
"Many companies aren't adequately or effectively protecting themselves from exposure to vendor outsourcing risks. This could result in their potential exposure to system compromise, fraudulent abuse of data and, in some cases, regulatory exposures and fines, which could have significant impact on their brands and reputations."
Protiviti, Shared Assessments Program, US