This article series has covered the key up-front and long-term activities to ensure external relationships with suppliers don’t threaten critical data assets within your organisation, plus the benefits of using this approach. However, if a data breach event does occur, it’s important to decide on next steps – and plan to ensure the incident is never repeated.
1. Assess the damage
This is a necessary (albeit reactive) step to take following a data breach event. Effective analyses will provide both a quantitative and qualitative view of the fallout from data breaches, which affect organisations beyond the balance sheet.
However, best security practice demands a proactive, as well as reactive, approach. A formalised business impact assessment (BIA) should be updated every year, allowing your organisation to measure the cost of a hypothetical event and plan accordingly, for example via contingency arrangement and exit plans that are adapted to different scales of attack.
2. Evaluate the relationship with the supplier
Data breaches, particularly those with extensive and far-reaching impact, can be tough to forgive if a third party was responsible for ‘handing over the key’ to hackers. Is the answer break it off with the vendor?
Well, it depends. In the aftermath of an attack, the damage can be weighed against the value of the relationship. Asking key questions both internally and to the supplier can inform the decision:
If it’s agreed to proceed with the relationship, always ensure the third party is accountable for any promises – again, everything needs to be in writing.
In the case of a break-up, a stressed exit strategy should have been agreed in the contract – and this won’t be overlooked if security was involved from the start. An effective plan will be tailored to the level of risk and facilitated by different methods and tools.
What are the key components of business continuity and exit plans for third parties?
Source: “Our Compliance Framework: Outsourcing & Third Party Risk Management” – Wavestone, June 2020
3. Establish (or improve) a vendor risk management process
Regardless of whether an organisation has experienced a breach, this should be a top priority. Every organisation deals with risk, and chances are your business already has programmes and processes in place to manage it. However, if an organisation has experienced a breach, then it’s likely the management of third party risk leaves a little – or a lot – to be desired.
A vendor risk management process will involve building a structured view of your external relationships, classified by the volume and sensitivity of data they access. This will in turn facilitate the application of different controls to vendors according to the level of risk they represent. While one-off exercises to assess the risk of third parties are important, the goal of a VRM process is to maintain persistent oversight – through monitoring and regular reviews – of the security risk associated with external relationships.
Yes, a simple first step to ensuring third party data security is to make it a top consideration in the procurement phase, but security management is about the long game and should be deeply embedded throughout the entire lifespan of a vendor relationship.
How does security evolve during the relationship with a software vendor?
Sources: “Could Your Business Partners Be Offering More Risk than Support” – Wavestone Webinar and “How to Define an Effective Third Party Cyber Risk Management Strategy” – Wavestone’s Risk Insight Blog