It wasn’t long ago that the phrase digital transformation conjured the image of a large-enterprise corporate luminary delivering a keynote about the technological metamorphosis of their industry. Digitalization of legacy processes, seamless third-party service integration, elastic cloud computing, the internet of things, e-business – the specifics might manifest differently at different organizations, but the promise of digital transformation seemed limitless.
Turn Integrated Risk Management into Instant Risk Management
Introducing NAVEX IRM Out of the Box, our latest IRM solution that gets you up and running in weeks instead of months. Request your demo today to learn more.
To cybercriminals, all this data flowing between the connected operations of more and more enterprises and their third-party partners presented another limitless opportunity – for cybercrime. An organization’s in-house systems, third-party connected services, supply chains and employee personal accounts were just some of the growing areas that a malicious actor might exploit to steal sensitive information or commit other criminal acts.
Not surprisingly, organizations have evolved their defenses in response. According to a profile by Cybercrime Magazine, it was 1994 when Citigroup appointed the world’s first C-level position devoted to information security, a chief information security officer (CISO). Fast-forward to today, and 90 percent of organizations with more than 5,000 employees employ a CISO or similarly focused chief security officer, according to a 2021 report by Navisite.
Yet all this headline-grabbing digital transformation, and digital risk, didn’t stop at the Fortune 500. Community banks, healthcare companies, retailers and other small-to-medium-sized businesses (SMBs) have now widely adopted many of the same technologies and practices that were once only within reach for the largest enterprises. Cybercriminals have noticed – IT and third-party risk now stalks every Main Street.
The unique challenge for SMBs in IT and third-party risk
A global Ponemon Institute survey published in 2019 reported 66% of organizations with between 100 and 1,000 employees experienced a cyberattack in the prior year, with an even greater percentage of respondents in the United States, 76%, reporting a cyberattack in that period.
The Ponemon report colors some of the challenges SMBs face in respect to third-party risk management, a critical area where sensitive information is often shared between organizations. Most respondents, 70%, said they do not have a comprehensive inventory of all third parties with which they share sensitive and confidential information. An additional 5% said they were unsure. Some of the cited reasons include lack of resources to track third parties (52%), frequent third-party turnover (41%) and no centralized control over third-party relationships (33%).
These findings paint a troubling picture. While representing just one area of risk management, third-party services have come to dominate many of the functions that a casual observer might otherwise assume to be in-house IT, such as human resource systems and mobile apps. This trend involves organizations of all sizes, but for many SMBs, it has enabled the offering of competitive services that level the playing field with their larger peers – all without the need for significant in-house investment in research and development.
Third-party services seem essential to compete at scale in today’s marketplace. Is enough being done behind the scenes to ensure organizations can rely on the security and stability of their critical third parties?
There is indication that many have room to improve. A combined 38% of respondents, representing organizations of all sizes, said their program was either “poor” or “fair” at engaging in ongoing monitoring and risk management throughout the lifespan of a third-party relationship, according to survey data from NAVEX’s 2022 Definitive Risk & Compliance Benchmark Report. These were the two options among five indicating the lowest level of efficacy. Only 9% responded that their organization was “excellent,” indicating the highest level of efficacy.
Of course, third-party risk extends beyond the realm of IT services. Physical supply chains also present third-party risk – a supplier may disappear overnight due to political sanctions, or an unmonitored supplier may employ unfair labor practices that present legal and reputational risk for the client. Today’s globalized supply chains give SMBs access to a world of suppliers, and with it, the challenge of monitoring those relationships to avoid risk.
Finally, SMBs, and organizations of all sizes, face the ongoing and persistent risk of compromise to their connected IT systems. Digital transformation has only increased this risk. Community hospitals, small retailers – it’s now hard to imagine an organization that does not rely on some form of connected infrastructure to support its operations. The same question exists for IT security as it does for the related management of third-party risk – are SMBs doing enough to ensure their essential systems are secure?
A path forward
Fortunately, SMBs can employ – and in many cases, are employing – some straightforward best practices to improve their IT risk management (ITRM), third-party risk management (TPRM) and other areas where they face similar threats as their larger competitors.
Among those strategies are integrated risk management, or IRM. This holistic approach brings complex risk signal data into a single view and management structure, making it easier for organizations to act meaningfully on information about risks involving their third parties, IT infrastructure and more. Most respondents to NAVEX’s 2022 risk and compliance survey said they have an executive role identified to own risk integration strategy, suggesting many are taking the approach seriously despite the variations in the specific role cited.
Though employing a CISO is not an end-all referendum on an organization’s prioritization of information, third-party and IT risk, the prevalence of this particular C-level role for SMBs is interesting as they face these same threats. Navisite found that nearly half, 48%, of respondents from organizations with 100 to 5,000 employees said they had someone employed in this role. Even 36% of respondents from organizations with fewer than 100 employees said they had a CISO.
NAVEX also recently released an out-of-the-box IRM solution that addresses the major risks all organizations, not just SMBs, face in ITRM and TPRM. This new solution is meant to help achieve fast return-on-investment for risk management, includes industry-leading risk scoring methodologies built-in, and provides the prescriptive solutions customers want while maintaining the direction and integrity of their existing programs.
NAVEX also published a webpage with resources for getting started with ITRM and TPRM, and a related guide, “7 Elements in Building an Advanced IT Security Defense System” includes some helpful guidance.
SMBs are now firmly in the journey of digital transformation, and are facing the same ITRM, TPRM and other risks as their larger competitors. Some basic best practices can help organizations to rise to the challenge of securing the digital business strategies that are essential to compete in today’s marketplace.
To learn more about getting started quickly in integrated risk management, register for NAVEX’s webinar, "Introducing NAVEX IRM Out of the Box: Solving Business Challenges with an Integrated Risk Approach."