Data breaches caused by third parties have become a regular part of the news cycle these days, from the vulnerabilities in the platform the Boy Scouts use to sell popcorn to the massive exposure of Door Dash customer and driver records. Ponemon Institute estimates that about 63% of data breaches are caused by third parties and that the average cost of these breaches is almost $4 million, but it’s even harder to calculate the cost of reputation loss and the loss of customer trust.
Research conducted by Aravo and our partners indicates that third-party risk practitioners are feeling the pressure. In a survey conducted in association with CeFPro, cybersecurity was cited as the biggest concern for boards, multiple times more often than any other single response. Yet respondents also reported facing challenges in managing and reporting on these third-party risks. Cybersecurity was cited as the biggest challenge facing third-party risk management programs in the coming year.
To help organizations quickly set up programs to manage information security risks like cybersecurity and data privacy, Aravo recently introduced a new off-the-shelf application. Aravo for Information Security complements Shared Assessments’ SIG (Standard Information Gathering) assessment with robust workflow and data management and point-and-click dynamic scoping.
“Managing third-party information security risks is nothing new for Aravo,” says CTO Eric Hensley. “We’ve been helping some of the world’s biggest brands manage their programs for a long time. What’s different about Aravo for Information Security is that we’ve eliminated the need for organizations to design their programs from scratch, which can require significant time and expertise. For less mature third-party risk management programs, this product gives them the confidence to quickly launch a program that leverages our years of experience. But we’ve also seen that more established third-party risk teams recognize the benefit of rapidly complementing their programs with Aravo for Information Security, which also provides them with the flexibility to modify or extend their program in the future.”
Leveraging industry standards
In addition to rapid implementation, Aravo for Information Security is also designed to increase efficiency and reduce the burden on employees and vendors, which ultimately means that third parties can be onboarded sooner to benefit the business. Automated workflow processes eliminate the need to manually juggle spreadsheets and emails. With dynamic scoping, risk experts can easily select which risk control domains in the SIG Lite or Core (or any combination) apply to a specific third-party relationship. If the third party already has an existing completed SIG, they can also upload it directly to Aravo for Information Security.
“It’s a simple solution for the CISO and IT security team based on the Shared Assessments SIG,” commented French Caldwell, founder and chief of research at FCInsights, after seeing a demo of the application. “A nice feature for third parties that already have a completed SIG is that they can just upload it to the Aravo IS [information security] questionnaire and it will automatically populate — so no mind-numbing clicking on yes and no questions.”
By leveraging the industry-standard SIG Core and Lite assessments, organizations can have confidence in a defensible approach to evaluating third-party information security risk. The assessments are aligned to more than two dozen US and international standards, including NIST, ISO, EU GDPR, UK FCA, and HIPAA.
This is the level of certainty organizations need to be able to improve decision making with a centralized view of third-party information security risk. Aravo for Information Security also includes robust reporting and dashboards and a detailed audit trail, making it easier for third-party risk programs to quickly and accurately deliver the data demanded by senior management, the board, and auditors.
Aravo for Information Security is available now. To see the application in action, contact Aravo for a demo.