For our latest edition of Risk Hotseat, Robert Shearman, Product Manager at Aravo explores the importance of information security for CPG and other industries. Learn more about risks and best practices for managing them!
Hello everyone, my name is Robert Shearman, and I am a Product Manager at Aravo working on designing and developing applications that support our clients’ desires to run mature, best practice, third-party risk and relationship management programs on top of the Aravo platform.
At the end of the day, the main top-level risk is the risk of financial loss. However, that is a bit of a catch-all in my opinion. There are three key risks that organizations need to be mindful of that are associated with that kind of financial loss risk. First, is the risk of breach. Second, operational risk. And then third would be reputational risk, all of which can severely impact the company’s financials.
The risk of a breach is the big one. If a vendor has access to your organization’s data and lacks robust security measures, they could inadvertently open the door for unauthorized access to sensitive information. The Facebook and Cambridge Analytica breach in 2018 was a textbook case. Cambridge Analytica harvested and sold data from millions of Facebook users without their consent through a seemingly harmless third-party quiz application. It’s also led to a historic $5 billion fine by the FTC, as well as significant reputational damage.
I would definitely consider reputational damage as a significant risk you’d face. Infamously, in 2013, an HVAC vendor of Target was compromised and attackers obtained network credentials through the vendor, enabling them to infiltrate Target’s network. This breach compromised roughly 100 million customer payment cards and personal contact records. The incident severely damaged Target’s reputation, shook customer trust, and led to a decline in sales during a critical holiday season.
Obviously, all of this highlights how each of these risks are significant, but they all roll up to that high-level financial loss risk. In order to address these risks, a mature program requires a comprehensive approach to third-party risk management (TPRM). Your security is only as strong as your weakest link. Do your company a favor and do not disregard InfoSec in your supply chain, or your bottom line.
I would say the consumer-packaged goods (CPG) industry, like many others, is significantly affected by information security risks posed by third parties, largely due to its extensive reliance on a complex supply chain and the digital transformation that has extended greatly over the last decade. With the increased amount of consumer data collected through online channels, CPG companies are at risk.
If their third-party data processors or analytics providers suffer a breach, this could lead to significant privacy violations and fines, which could also erode customer trust and loyalty. This could then lead to loss of revenue and hefty fines under regulations like GDPR or CCPA, all of which again hit the wallet where it hurts. In addition to that, third parties with access to a company’s intellectual property can inadvertently expose trade secrets, formulas, or new product designs.
This not only has a direct financial impact but can also erode competitive advantage and tarnish the brand’s image if the market gets flooded with knockoff brands or duplicates. And similarly, a cybersecurity incident affecting these types of vendors can disrupt the company’s operations. This can lead to product shortages and damage to a brand’s reputation for reliability, both of which hurt the bank account.
So, generally speaking, fostering a culture of security awareness and collaboration across one’s supply chain can really help mitigate these types of risks and eventually (or ultimately) protect the brand’s reputation and its bottom line, while also lifting the security of the entire supply ecosystem. So, I would definitely recommend trying to foster that collaborative awareness of security and having that trickle down to your suppliers and their suppliers who also support your critical engagements.
I would say that effective vendor onboarding plays a critical role in enhancing a company’s cyber and information security posture. By implementing a thorough, repeatable, and consistent onboarding process, companies can ensure that their vendors meet their security standards from the outset, reducing the risk of breaches and vulnerabilities down the line.
Good vendor onboarding helps lead to a stronger defense against cyber threats, and a proper onboarding program is also auditable and in compliance with federal regulations depending on the industry that you operate in. So, make sure you’re keeping track of all the risk data at every step of your process and lock all decisions made, or you could adopt a solution that does that for you.
This one’s close to my heart because of my role, but I would say that for a top-notch third-party risk management program focusing on InfoSec, here’s the playbook. First, you’re going to want to kick off with risk evaluation, doing a deep dive into your third party’s policies, controls, procedures, supporting documentation, and generally making sure that they’re on par with your security expectations. If they’re not, work with them to level up before you dive into doing business with them.
Next, I would say set clear security expectations. Spell out your InfoSec needs in contracts, including compliance with relevant laws and standards. In addition to that, it’s important that you demand strong incident responses. Ensure that your partners have solid plans for when things go south, including clear roles and responsibilities, as well as response SLAs to help spread out that risk.
Next, I would say education is a big piece, even before you’re doing business with them. Run security awareness programs for everybody: your team and your third parties. Human error is a hacker’s best friend. So, cut down on chances of slipups, don’t click that suspicious link, and please do not plug in any flash drives onto company hardware.
In addition to that, I would say access control is key. Only give third parties the access they absolutely need and keep that access under consistent review. Less is more in this case as engagements change over time. Continuously make sure that their access rights also match with that dynamic state. And, as the engagement kicks into gear, monitor relentlessly.
I would also say keeping an eye on third-party security practices with periodic reassessments is a great way to go. You can automate this with tech tools for efficiency and don’t shy away from doing regular audits and certification checks. Monitor intensity and cadence based on the risk that the third party poses, what type of engagement it is, and how it supports your business.
I’m a little biased, but I would definitely say embrace the technical solutions. Use technology to streamline third-party risk management. Automation can make risk assessments in monitoring smoother and more effective. The information security risks, as well as your attack surface, are both scaling far more rapidly than your headcount will allow. You need automation to help you scale to meet the threat and you need it ASAP.
And, I would say by sticking to these practices, you’ll not only beef up your TPRM program, but you’ll also safeguard your data and your reputation. It’s all about being proactive, precise, and prepared.
This interview has been edited for length and clarity.
Share with Your Friends:
