Why the Old Way Isn’t Working for Information Security

Posted on: January 2, 2019
Author: Steve Richardson

As organizations seek ways to solve the security problems inherent in many of their business partnerships, they require a flexible and collaborative system tailored to different user experiences and needs that is accessible by all parties, integrating their separate data-gathering and sharing efforts within a core risk management system.

Unfortunately, many companies are unsure how to approach this, and end up relying on legacy governance, risk management, and compliance (GRC) solutions. Or, even worse, using spreadsheets and email to track and maintain their risk assessments and third-party relationships.

Manual processes, spreadsheets, and email are not a scalable or sustainable model for managing third-party risks for many reasons. Increased spending with third parties, new and stricter privacy legislation, and an heightened media focus on information security breaches increase the levels of risk a business faces when entering third-party relationships as well as the risks resulting from inconsistent or error-prone assessment processes.

Companies are spending more money, and are relying more heavily, on third parties to manage crucial areas of their business because it can reduce internal costs and cut down on internal hiring and training of full-time employees.

While there is added convenience in sourcing a business process service to a third party, companies must also pay attention to how third parties protect and store sensitive data as well as address their own risk and compliance obligations.

Companies must also consider the General Data Protection Regulation (GDPR), which took effect in the European Union on May 25, 2018 and consolidated all privacy laws into one regulation. GDPR has expanded the privacy rights of individuals in every EU country and has put much stricter rules around how organizations handle the personal data of their customers and employees.

GDPR enforcement not only applies to countries in the EU — but to every company that does business there where EU citizen data is stored or processed.

The broad nature of GDPR makes it even more evident just how much emphasis people around the globe place on their privacy. The result is an increased obligation a company has to ensure that privacy for its employees and customers — which includes a thorough vetting of all third-party relationships.

What’s more, regulations that resemble GDPR are being adopted elsewhere. In California, the Consumer Privacy Act was signed into law in June, and will go into effect in 2020, giving residents of the state much more control over their data.

The media attention paid to data breaches can be intense and highly critical. Journalists pay close attention to how and why such incidents occurred, and what could have been done better by the compromised company.

If an organization has not done its due diligence to protect consumer data by assessing the risks associated with their partners, it will become a key point of the news coverage, and can permanently damage the company’s brand and consumer confidence.

Learn more about how Fusion can help with your GDPR and other regulations by visiting our data protection page.