In today’s global economy, it’s no secret that many organizations rely on third parties for critical business activities. While outsourcing isn’t a new concept, the rise of readily available cloud-based and everything-as-a-service solutions is rapidly increasing an organization’s liability and risk landscape – often with limited IT oversight.

Unfortunately many enterprises relying on third-party vendors often assume that these third parties properly protect their sensitive employee, customer and business data. Sadly, this is not always the case. Consider these data points:

• Only 24 percent of respondents require third-party suppliers or partners to comply with baseline security procedures. [1]
• Although 84 percent of senior IT decision makers [were] concerned or very concerned about the risks associated with IT security breaches, 55 percent of CIOs have not tested cloud vendors’ security systems and procedures. [2]

Organizations now have more choices available than ever before when it comes to outsourcing information management and IT resources to third party vendors.  Cloud computing and everything-as-a-service is becoming more popular, and business units in an organization are choosing to conduct more projects with third parties.  In an environment where third party services are seemingly easy to use and quick to deploy, an organization’s liability and risk landscape can increase rapidly and with limited oversight.

Governance of third party vendors, assessment of risk, and remediation of unacceptable risks is critical to protecting an organization’s reputation, business, and customers.  IT Security, Legal, and Finance all play an important role in identifying third party vendor projects involved in accessing and managing an organization’s sensitive data.  IT Security has a responsibility to assess the risk of third party vendor projects and to ensure that the highest risks are addressed.

Nearly every organization uses third-party companies to handle some function whether it’s sending billions of emails or processing private information such as medical, financial or otherwise personally identifiable information. Headlines continue to circle around yet another third-party data breach in what will likely remain an ongoing sore point for organizations that use third-party companies. Recent stats from the Ponemon Institute’s Cost of a Data Breach report indicate that 39 percent of data breaches involve third-party outsourcers.  Third-party servicers generally try to do their best to protect information, but often fall short. Much of the time, it’s due to the fact that they’re not behaving or thinking like the company(s) they do business for, especially those with regulatory or industry regulations or standards.

What’s interesting is that many of the companies that outsource these functions seem to rely on either contractual language in the agreements and/or perform cursory assessments of those third parties before agreements are signed.