Identifying challenges in third-party due diligence

You could be forgiven for thinking that modern business security is, by default, a high-tech affair. Any number of films and TV shows would have us believe that even the humble high street bank protects its valuables and data with retinal scans and servers locked away in rooms rigged with motion-sensitive booby traps.

The truth, of course, is less exciting – and a lot less reassuring. Most firms are vulnerable to threat actors who don’t even come close to having the skills and tools at the disposal of the Mission: Impossible team.

No matter how good a firm is at managing its own data and IT security, one of its third parties could be an unlocked back door. That’s why, for most firms, the vulnerabilities in their attack surfaces come from their lack of proper third-party due diligence.

Some of the more common barriers to getting third-party due diligence right include:

• Reliance on legacy systems When your team is comfortable using a system that (barely) continues to serve its intended function, it can be tempting to stick with it for the sake of familiarity – even as it becomes increasingly difficult to integrate with other systems, and the cost of maintaining it starts to mushroom.
• Failing to use automation There is only so much that a spreadsheet and an emailed questionnaire can do. Even small organisations will have many third parties to deal with, so it’s easy to lose track of who knows what about them, and where that knowledge is recorded. In the right (or wrong) circumstances, a simple question like, “Who owns that file, and when was it last updated?” can assume grave significance. Which brings us to…
• ‘Hidden’ outsourcing Third-party suppliers are one of the easiest things for a firm to lose sight of, particularly those engaged with on an irregular or as-needed basis. Complicating this picture are so-called ‘fourth parties,’ or the providers that a firm’s own third parties use. And those fourth parties will have their own vendors – and so on, and so on. It might be time to start talking about “multi-party risk management” instead.
• Regulation In regulated industries, it can be tough to stay on top of all the rule changes in each market and what’s needed to remain compliant. It is therefore essential that onboarding questionnaires are often revised to ensure that they are always fit for purpose, and that the third-party network is continuously and accurately monitored.

Third-party risk management – Mission: Possible

Fortunately, there is technology available that can assist you in all these areas, and no rock-climbing experience or parachutes are required. Talk to us today about how Orbit Diligence can improve the efficiency and effectiveness of your third-party risk management.