It’s a fact of business life that customers, markets, and industry commentators only see your brand, and not the suppliers who provide the materials, components, or products behind it.
Naturally, that’s what many enterprises want, so that they can build their brand image and reap the benefits of more revenues and bigger margins.
The flip side is that if a material, component, or brand is bad or if a vendor exposes your confidential business information, then people still only see your brand.
They then consider your enterprise alone to be the culprit, putting your business continuity in danger. Companies can check up on their vendors to make sure they have preventative procedures in place.
But what about the subcontractors of those vendors?
With the complex supply chains now in place, companies must not only contend with third parties in terms of business continuity, but with fourth parties too.
Quality and availability are always concerns, but so is security of confidential data. Vendors often have access to company networks and information.
The risk of data breaches or other compromises then extends back to subcontractors as well.
Ponemon Institute ran a survey on “Data Risk in the Third-Party Ecosystem” in 2016 and found some revealing results.
- Whereas 63% of respondents considered that a third-party vendor would notify them if it had a breach concerning their confidential company information, the figure plummeted to 27% for fourth-party vendors (subcontractors).
- 65% of respondents did not monitor vendor safeguards, 58% could not determine vendor safeguards, and only 41% believed vendor safeguards were sufficient.
Multiply this by the number of third-party vendors per company (possibly thousands) and the number of fourth party vendors behind them, and the size of the problem becomes even more evident.
Legally, your company is responsible for what it provides to its customers and for their information. Blaming the vendor or the subcontractor won’t wash for operational losses, reputational damage, strategic prejudice, or non-compliance with regulations.
Whatever solution you put in place for this, it will need to go enough levels back to ensure that neither third-party, fourth-party, or Nth-party vendors can have any significant impact on your business continuity.