Trucking companies put a lot of emphasis, as they should, on risk management. We operate in an industry that comes with inherent risks, and top-flight organizations know they must have good planning and procedures for how to mitigate risks and potentially respond if a negative situation happens.
Despite a company’s efforts to mitigate risk, it can still fall prey to disaster if a third-party vendor or business partner has failed to do so. Risks arising from third-party business relationships can damage everything from a company’s finances to its data to its reputation.
During a recent NMFTA webinar, Erica Voss, Ph.D., vice president of information security at DAT Freight & Analytics, presented a detailed look at how trucking/supply chain companies can design and implement a third-party risk management (TPRM) program.
The types of security risks companies might face through their relationships with third parties include:
Voss shared that 73 percent of organizations say they have heavy dependence on outside service providers. Yet only 54 percent of companies make TPRM a part of their broader risk management program, and 37 percent say they don’t have TPRM programs at all.
TPRM is a process by which companies monitor interactions with all their third parties, both contractual and non-contractual. It’s the basic idea that companies need to have a solid understanding of those with whom they are working.
That especially includes an understanding of how much of your data the external party has access to. It also involves having a sense of the relative health and strength of that third party.
Imagine a scenario in which an outside vendor, which is in possession of a large volume of your company’s data, declares bankruptcy. Or let’s say that third-party vendor is the victim of a cyberattack.
“You don’t want to sign a contract with a vendor and then find out later they’re going through a bankruptcy, or they’ve been breached, and they’ve got all this data of yours,” Voss said.
Dealing with such scenarios, Voss said, compels companies to “play the what-if game,” gaming out different scenarios and determining the security and strength of the third-party companies to handle them.
One such issue is regulatory compliance. A company handling credit cards, for example, must be payment-card industry compliant. A company dealing in any kind of health care business needs to be compliant with the Health Insurance Portability and Accountability Act (HIPAA). Any third-party vendor or business partner that is not compliant with critical regulations could put your company at risk.
Ensuring that outside vendors and partners are solid in these areas is a critical part of any TPRM effort. At the same time, companies should have a plan for off-boarding vendors or partners who are shown to present unacceptable risk levels.
Buy-in and support from executive leadership. That comes with clearly identifying the outcomes and return on investment (ROI) executive leadership will want from the effort, and the metrics that will be used to measure those outcomes.
A clear assessment of the risks the company will seek to address. Closely associated with this will be a vision for how to control the risks, and the possible roles of functions like procurement and, of course, data and how much of it is being shared with vendors.
Because data is so critical, companies should have a data classification process – much like the federal government classifies highly sensitive information. For example, if a company is dealing in people’s personal information, the company should decide what level of information is too sensitive to put at a certain level of risk. Maybe a person’s first and last names and e-mail addresses are of low concern, but adding the person’s birth date would put it in a different classification.
When dealing with vendors, companies should recognize that risks become greater as more tiers of vendors are involved. Voss shared that she once dealt with a vendor map that was seven tiers deep. That many companies dealing with your company’s data presents all kinds of issues.
“Mapping seven tiers was mind-blowing to me,” Voss said. “You’ve got to understand that beyond those first and second tiers is where you get yourself into trouble.”
Once a company has established its TPRM plan, implementing it is both critical and challenging – and must include an effective assessment process.
Finally, Voss urged attendees to add important best practices into their TPRM efforts, including:
Automating responses to third-party incidents. Too many organizations only have manual processes – which can be faulty and too slow to action.
Getting serious about the right kinds of technology. “Give up your spreadsheets once and for all,” Voss said, adding that many companies are still using such rudimentary platforms to chronicle their risk factors. “It’s 2024,” she said. “Let technology help you.”
Building a single source of truth. Many companies use overlapping tools that present foggy and sometimes contradictory pictures of a company’s third-party risk picture. Voss urged companies to consolidate all such information into a single platform that speaks with a clear voice.
Don’t just assess third-party risks. Remediate them. It’s not enough just to recognize vulnerabilities. Companies must put plans into action to remediate those risks so they really will make themselves more secure in today’s business environment.
If you would like to watch a recording of the entire webinar, it is available here.
Cara is the Director of Cybersecurity at the National Motor Freight Traffic Association, Inc. (NMFTA)™. She is a distinguished supply chain expert with over a decade of experience as a people and thought leader in cybersecurity for highly regulated global industries and companies such as Coyote Logistics, UMB, H&R Block, and New York Life. Cara is a recognized thought leader and frequent speaker within the cybersecurity industry. She holds many top cybersecurity certificates and accolades, with her work being presented at several national conferences.