Companies Should Consider Third-Party Physical Security Risks

Often, discussions around third-party risks swirl around cybersecurity. However, physical security is very much a pressing concern risk management professionals and security leaders should consider when it comes to their relationships with vendors and partners.

Recently, Prevalent, Inc., released the 2022 Third Party Risk Management (TPRM) Industry Study that examines current realities affecting third-party risk management professionals.

The study reveals that 45 percent of those surveyed have “experienced a third-party security incident” in the past year, while 69 percent of study participants revealed data breaches are the “top third-party risk concern.” Additionally, 40 percent of respondents reported they are now directing greater focus to non-IT-centric security risks, according to Security Magazine.

Important risks to keep in mind

In its coverage of the report, Security Magazine highlights that — while physical security concerns are attracting greater focus — many firms continue to ignore or brush aside these “less quantifiable non-IT risks.”

Some of these include:

  • Modern slavery
  • Anti-money laundering
  • Anti-bribery risks
  • Corruption risks

These could result in “compliance violations, fines, or negative reputational impacts, as well as human rights violations,” Security reports.

Essentially, the costs of ignoring physical security concerns can be great.

The survey also showed that this perception is gradually changing. About two-thirds of participants said their companies’ third-party risk management initiatives “have more visibility among executives and the board” as compared to the previous year.

A changing landscape

Security Magazine notes that this greater awareness came with a cost. It took massive breaches like greater incidence of “third-party vendor and supplier-related cybersecurity” problems like Log4j, as well as issues like the Kaseya ransomware attack and Toyota’s supply chain collapse to change people’s perspectives.

The survey also points out that firms need to update their tried-and-true practices if they are going to take third-party risks seriously.

For instance, 45 percent “indicate that they are still using spreadsheets to assess their third parties,” an increase from 2021 when 42 percent reported relying on what is seen as a relatively outdated approach, reads the report.

The authors of the Prevalent report stress that firms have to be vigilant about addressing problems as they occur in real time. This must happen at every stage of a company’s relationship with third-party vendors.

“Tracking vendor and supplier risks at the earliest stages of the vendor relationship (for example before contracting and onboarding) should be a no-brainer. But data from this year’s study shows that discipline trails off as the vendor lifecycle progresses,” states the report. “Security, compliance and operational issues can crop up at any time during a vendor or supplier relationship, so it’s important to address risk at each stage of the third-party lifecycle.”

Published by Peter Cavicchia

Peter Cavicchia is a retired U.S. Secret Service Senior Executive, now Chairman of the security consulting firm Strategic Services International LLC.

%d bloggers like this: