What’s the cost of not implementing a vendor management platform?

May 26, 2020//Tony Howlett

Last Updated: November 19, 2020

SecureLink | Vendor Management Platform

Regularly the conversation around any sort of platform revolves around what the costs are: what is the base cost, if there are any add ons, and if you have to pay for support. However, sometimes it makes more sense to think about what the costs are if you forgo to implement a software platform. And what’s harder is that usually the task of optimizing security and efficiency is too often a paradoxical relationship. When you boost one, you end up compromising the other. Especially when it comes to managing your vendors, this balancing act between granting network access and keeping your data and systems safe can be difficult.

Luckily, Vendor Privileged Access Management (VPAM) platforms provide an easy, effective solution to this problem, giving organizations an efficient way to stay secure. There are plenty of reasons why businesses benefit from investing in VPAM tools, but what about the costs of not investing in VPAM? Here’s an outline of the risks associated with foregoing a systemized, automated approach to securing your network from third-party vendor breaches.

Manual risk management processes are ineffective

When organizations choose not to use software to help them manage their network access controls, especially for vendors, they find themselves needing to monitor their systems with manual systems, either on paper or using ineffective tools like spreadsheets. Tracking and managing vendors via these methods can prove time-intensive and costly. The average company spends 17,000 hours annually – amounting to over nine full-time employees – compiling compliance reports and investigating security anomalies.

Vigilance is needed to secure networks against vendor vulnerabilities, as nearly two-thirds of all breaches are due to third-parties. Unfortunately, it only takes one vendor to cause an incident. No matter how much time and money an organization spends on efforts to maintain data security, it won’t be enough to protect the network without proper software tools. A 2019 study conducted by the Ponemon Institute, focused on the economic impacts of third-party vendor risk management in the healthcare industry, found that nearly two-thirds of respondents believe manual risk management processes cannot keep pace with cyber threats and vulnerabilities. In short, not only is manual risk management costly and time-consuming, most organizations don’t even believe that it works.

Third-party noncompliance penalties

Compliance regulations can be a headache, especially because if your third-party vendors aren’t compliant, neither are you. In many industries, even if your vendors cause a breach but the systems or data are yours, the fines are your responsibility.  Fines and penalties vary by industry, so here’s a quick explainer on how they specifically apply to HIPAA/HITECH, ITAR, PCI DSS, and GLBA.

HIPAA/HITECH

The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act) provide regulations for ensuring the security of Personal Health Information (PHI), a specifically defined and protected class of data under the law. Protecting people’s information is critical, especially details concerning personal health, so the penalties for violating these regulations are severe. HIPAA noncompliance violations can range from $100 to $50,000 per violation (or per record), depending on the level of negligence related to the specific case. The maximum fine, imposed for uncorrected, willful neglect, is $1.5 million. Remember that this is a fine your organization could have to pay, even if it’s your vendor who is noncompliant.

ITAR

International Traffic in Arms Regulations (ITAR) requires that companies maintain security in the import and export of defense-related articles and services on the United States Munitions List (USML). For technology companies, this law is aimed at protecting important data from reaching the hands of foreign nationals. As matters of national security are strictly enforced, noncompliance fines for organizations and their vendors are steep. ITAR violations can lead to business restrictions, criminal or civil penalties, and imprisonment. Civil fines can reach up to $500,000 per violation, and criminal fines can reach up to $1 million and 10 years in prison per violation.

PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a set of standards that apply to any business that accepts credit card payments. The goal is to keep financial information secure, and the major credit card companies are tasked with ensuring compliance and administering fines for violations, both by merchants and their vendors. Fines are not widely published or reported, but they vary between $5,000 and $100,000 per month of PCI non-compliance.

GLBA

The Gramm-Leach-Bliley Act (GLBA) is a U.S. federal law that requires financial institutions to prove they keep their clients’ nonpublic personal information (NPI) secure. Under this law, institutions that disclose NPI to third-party vendors are obligated to enter into a contractual agreement with their vendors, ensuring the NPI will not be used for anything other than to carry out the task required in the contract. This means that organizations and institutions applicable to GLBA are responsible for the compliance of themselves and their vendors. GLBA violations are penalized with fines of $100,000 per violation for institutions and $10,000 per violation, plus up to five years in prison for individuals.

Data breach costs

Expenses can pile up quickly for non-compliance violations, but the costs associated with insufficient cybersecurity don’t end there. Data breaches can be incredibly expensive, especially in the United States. A 2019 study published by the Ponemon Institute and IBM Security found that the average cost of a data breach in the U.S. is now up to $8.19 million – or $242 per stolen record. And certain industries are hit even harder than others, particularly in healthcare. The study found that the average cost of a healthcare data breach in the U.S. is a whopping $15 million.

Ransomware costs

Ransomware attacks are growing in frequency and scale and becoming increasingly expensive to resolve. According to Coveware, the average cost of a ransom payment in Q4 2019 “increased by 104% to $84,116, up from $41,198 in Q3 of 2019.” However, other metrics gauge ransomware attacks as even more expensive. When taking into account the ransom payments and associated losses, such as the value of lost data, the expense of repairing infrastructure, and the rebuilding of brand image, research by Kapersky Labs shows that a single ransomware attack costs companies more than $713,000 on average. These figures make clear that it’s far wiser to invest in preemptive security, rather than trying to react to an attack after the fact.

Invest now, save later

Even though many cybersecurity platforms can seem expensive initially, the benefits of having a secure network far outweigh the costs of the alternative. Between noncompliance violations, data breaches, ransomware attacks, and damages to brand image, the costs of having a vulnerable network can be insurmountable. VPAM tools can help you lock down your data and protect against third-party breaches, saving you the time and money to help your company succeed.

This blog originally ran on Cybersecurity Insiders. 

close close