Regardless of what business you’re in, chances are you’re working with more third-party organizations today than ever before. Whether it’s human resources, IT, marketing or everyday vendors, businesses are increasingly looking to third-party suppliers to help reduce costs and grow the business. While these third parties can provide great opportunities for a company, they can also pose great risks – some catastrophic to your brand and revenues – if not properly managed. For instance, who would have guessed that a regular HVAC vendor could be at the center of a multimillion dollar data breach? Or a consultant disguised as a domestic-supplier could lead to one of the largest FCPA enforcement actions in history?
In this slideshow, Greg Dickinson, CEO of third-party management expert Hiperos, provides a checklist that companies must keep in mind to ensure due diligence when working with third parties.
Working with Third Parties
Click through for six best practices organizations should keep in mind when managing third-party vendors, as identified by Greg Dickinson, CEO, Hiperos.
Know Your Third Parties
Third parties can deliver up to 60 percent of a company’s total revenue, and also account for the majority of what it spends. Unfortunately, while it’s easy to outsource work to third parties, it’s not so easy to know who you’re actually doing business with. Companies often default to only on-boarding and managing a limited number of “high-risk” third parties. Start with outlining all of your third parties and keeping the information in one place, tracking exactly what they do.
Know Their Business
It is not enough to hire third parties to help your company – you also have to know what business they are doing on your behalf. Ask yourself this question: If today you had to pull a list of which of your vendors or business partners have access to employee or customer PII, or to your IT systems, how long would it take? If you had to contact those companies for additional information, do you have accurate contact details?
Did you know that the majority of companies lack accurate (or any) contact information for the majority (north of 75 percent) of their third parties? This means that businesses may have incomplete, inaccurate or outdated information about the work that their third parties do and where and why they do it. Not knowing this information increases the chances of exposing your enterprise to risks and breaches.
Know Their Risk
Less than half of companies regularly conduct due diligence on their third parties. While all third parties pose some level of risk, the risk and the level of seriousness differs dependent on the role of the third party. For example, third parties that deal with payroll or taxes usually pose a higher risk of breaching your company’s data than the cleaning crew that comes in at night. It is imperative that you know exactly what risks each third party poses, and which ones to keep an eye on. This can only be done through regular due diligence.
Know Their Access
Not knowing that a third party had access to system passwords is not a valid excuse when your client’s records are stolen. Understanding what each party has access to – and why – will ensure that you have control over their access and can limit or deny access to sensitive information as appropriate.
Know Your ABAC Obligations
With increasing worldwide interest in and enforcement of anti-bribery and anti-corruption legislation, companies should assess the levels of risk they face and make sure they have appropriate controls in place. While it may be a daunting task, the initial questions are relatively straightforward: Does our company do business in foreign markets? and Do we or our third parties interact with government agents or officials and, if so, do we understand these points of contact?
Learn from the Latest Data Breaches
Home Depot, one of many retailers breached in the past year, was breached by hackers who stole credentials from a third-party vendor that had access to the payment system. In fact, 44 percent of company data breaches involve third parties. Organizations should use past breaches to learn and ensure that they understand which vendors or business partners (and not just the obvious IT ones) have access to IT systems, double check security measures, assess third-party risks, and make the necessary changes to ensure a higher level of security and scrutiny.