How Much Should You Trust Your Third-Party Vendors?
eSentire recently conducted an online survey of 600 information technology and security decision makers across the globe. These leaders have purchase influence over security solutions and familiarity with third-party risk. While the survey intended to quantify market concerns about third-party risk, determine top challenges and identify potential areas of vulnerability, there was an unexpected takeaway.
While most organizations take steps to evaluate third-party vendors, 13% of respondents say they do not evaluate their third-party vendors at all. Of that number, 20% cite “trust” as the justification for why they do not conduct third-party evaluations.
This is not a smart business practice. Not monitoring your vendors enough, or at all, exposes your organization to the risks of data breaches, operational setbacks and reputational harm.
When it comes to third-party vendor relationships, trust isn’t enough.
Starting Off on the Wrong Foot
Establishing relationships with suppliers and vendors is vital. Without them, you won’t have access to the products and services that are necessary to operate your business. To create a successful relationship, you should establish expectations ahead of time, including price, quality level, lead time and whatever else you require.
However, eSentire’s survey shows that many leaders are far too trusting when initiating business relationships: “only 51 percent [of organizations] require a signed contract that obligates the third party to adhere to security and privacy practices, and just under 50 percent review the written policies of their third parties.”
This is a startling statistic, especially considering the survey also shows that “only 24 percent completely agree that their company allocates sufficient resources to managing third-party relationships.” It’s ironic that most companies can be so negligent when trusting their data with third-party vendors while also recognizing that they are not devoting enough attention to that relationship.
History and Personal Relationships
Even after a vendor relationship has been established, it doesn’t pay to have blind faith. According to the survey, “Respondents even indicated that their history and experience with a third-party vendor provides them with a level of trust that suffices.”
There’s trust, and then there’s naiveté. History and personal business relationships might make you assume a person and their business is more trustworthy and reliable than they actually are. It’s better to stay objective and, most importantly, vigilant.
No Matter Who Fails, You Get Blamed
In the event of a security incident, consumers don’t care if you or your third party is responsible. You’ll be held accountable; your company’s name will be in headlines. You’ll lose business.
Even with the specter of culpability, “three quarters of respondents are confident that their third parties have adequate protection in place in order to prevent a data breach, and that their third parties would notify them if there was a breach involving their data.” Unfortunately, being notified by the third-party vendor rarely happens.
As eSentire shows, the overconfident three quarters of respondents discovered, “when a breach did occur, only 15 percent reported that they were notified of the breach by the responsible party.” If you’re waiting by the phone for your vendors to call, you’re risking your customer relationships and public reputation.
As the survey says, “When a company experiences a breach, the reputational damage will not be lessened by the knowledge that the breach was caused by a third party.”
It doesn’t matter if you’ve been in business with a vendor for a day or a decade, their failure is your loss. Trust only goes so far, so it’s better to be smart and be prepared.
VendorInsight® offers you tools to systematically manage your vendors and mitigate your risks. The vendor risk management software performs continuous monitoring of your vendors and optimizes your oversight program. Request a demo today to see how VendorInsight® earns your trust.