Email: info@fc-llc.org
by Freedom Consulting Posted on July 28, 2020
In today’s interconnected and transparent business environment, third-party risks become your risks. Avoiding risks is impossible; however, there are steps organizations can take to lessen risks taken by third parties. The security industry uses the term due diligence frequently, and there is a reason for this. It is essential to conduct due diligence and follow a process when investigating third-party vendors. For this article, the phrase due diligence is the process of examining details of a business, person, asset, and investment, to understand the risks associated with each entity. At its core, third–party due diligence is an independent investigative work conducted with a neutral, unbiased point of view. The goal is to gather vital information that highlights potential red flags that require a risk assessment, or it provides comfort knowing your third–party vendor is reputable. In short due diligence is doing your homework.
Due diligence reports are typically conducted before finalizing a business transaction. These reports are frequent in business deals, investing, hiring a third-party vendor or new employee, real estate transactions, and any other transactions that are of importance to a company. The due diligence report should include an assessment of the third-party, financial risks, leadership assessment, technology and product risks and vulnerabilities, combing through social media, lawsuits, bankruptcy, recent news (both negative and positive), licenses, and what are the terms of the relationship.
Due diligence is something a majority of people do in their everyday lives, but they may not realize they are doing it. A simple example of conducting due diligence in our daily lives includes the research someone does before purchasing a new car. The due diligence a consumer performs when buying a new vehicle includes finance rates, customer reviews of the car dealership, vehicle performance and reliability reviews, comparison of the different classes of the car, warranties, incentives, and all other details that are important to the consumer. In the security industry, due diligence is not much different when conducting security assessments, conducting red team penetration testing, employee background checks, review of potential investors, review of partnerships, and the review of third parties. You have to do your homework.
There are numerous incidents of Fortune 500 companies that have hired third-party vendors, and these vendors have either advertently or inadvertently impacted their clients negatively. The retail giant, Target, was a victim of a cybersecurity hack in 2013. The cybercriminals gained access to Target’s network with credentials stolen, a third-party HVAC company that did work for Target. Experts believe nearly 40 million credit and debit card numbers and personal information of roughly 70 million Target customers were stolen through the attack. Did Target conduct thorough due diligence on their third-party vendors to ensure the safety of their networks?
Conducting due diligence is time consuming, tedious, and inconvenient at times. It goes beyond the basic checks; it is an in-depth analysis of the third-party vendor. A business should know the third-party vendor nearly as much as they know their own business. A due diligence report provides the decision-makers with the power of knowledge when negotiating with third-party vendors. Below are a few examples of questions when conducting the due diligence report.
If an organization decides not to conduct due diligence on a third-party vendor, then they are exposing themselves to financial risks, security risks, and reputation risks. Due diligence can potentially save an organization money, time, and reputation. Remember to do your homework, and failing to conduct due diligence signifies a business is blindly entering into an agreement with the third-party.
JG-Freedom Consulting LLC
© 2024 Freedom Consulting LLC. All rights reserved