This post is part of G2's 2021 digital trends series. Read more about G2’s perspective on digital transformation trends in an introduction from Michael Fauscette, G2's chief research officer and Tom Pringle, VP, market research, and additional coverage on trends identified by G2’s analysts.

Vendors pose data breach risks

Data breaches can be devastating to a company, which is why companies must strive to prevent them. The brand damage following a data breach alone can be catastrophic, not to mention monetary and productivity losses, as well as fines related to global data protection and privacy laws. It’s not just the security risk companies assume themselves, but also the risk their vendors pose to them, as well. Vetting your vendors is a critical component to preventing data breaches.

Companies spend big on cybersecurity tools but are still conducting vendor assessments manually

To prevent data breaches, companies spend heavily on cybersecurity. In the five years between 2017 and 2021, global spending on cybersecurity products is slated to exceed $1 trillion. Spending on cybersecurity is a good investment considering that cybercrime-related damages globally are estimated to be $6 trillion per year by 2021.

With large corporations spending big on cybersecurity and bolstering their defenses—like JPMorgan Chase spending $600 million per year and Microsoft spending $1 billion per year—hackers have moved on to weaker, less well-funded targets: corporations’ vendors and third parties.

63% of all data breaches can be attributed to a third party, per a 2016 study conducted by Soha Systems (acquired by Akamai) on third-party risk management. One of the most damaging recent examples of such an incident was the 2020 data breach ransomware attack on vendor Blackbaud, a leading provider of database management systems for higher education and nonprofits, including nonprofits that hold medical patient data, which exposed the personal data of millions of people from over 200 of Blackbaud’s client organizations’ accounts. Blackbaud is now being sued in 23 class action lawsuits stemming from the data breach. 

This analyst is not surprised. In a 2019 study conducted by the Ponemon Institute, 53% of IT security professionals admitted to suffering a third-party data breach in the two-year period prior to when this study was conducted, at an average cost of $7.5 million. 

So how can companies ensure that their data is safe in the hands of the third parties they do business with? They can do so by vetting their vendors.

Manual vendor vetting wastes time and money

40% of organizations in the technology and software industries are, astonishingly, still vetting their vendors using manual processes, like by using spreadsheets. 

In the Ponemon study mentioned above, researchers found that vendors spend over 15,000 hours per year answering security assessments and companies spend $2.1 million annually, on average, vetting these answers. Despite this heavy investment of time and money, 55% of IT professionals said these assessments only somewhat or do not accurately reflect vendors’ security posture.

Now, that is a lot of time and money to get a result that’s just a bit better than a coin toss when it comes to protecting a company’s data.

Getting better results with vendor security and privacy assessment software

Vendor security and privacy assessment software are dual-constituency centralized exchange platforms for both third parties and their customers. The software enables the two groups to share up-to-date security questionnaires and answers, security certifications, results of recent security audits, the vendor’s cybersecurity and privacy policies, other documentation, and legal agreements on how sensitive or personally identifying data will be accessed, used, processed, or sold as defined by data privacy laws such as the GDPR or CCPA. 

This software allows vendors to use the same responses across multiple customer assessments, as well as proactively share security information with their customers, which saves the vendor time instead of manually editing individual spreadsheets or forms. These tools often include risk scoring and data breach notification and monitoring.

In a review for the product RFPIO, Ryak K, director of sales engineering writes,

“The primary issue RFPIO has solved for our team is total time from receipt to submission. Over the past year utilizing RFPIO we have seen a 40% reduction is the number of hours spent on each questionnaire. Another huge benefit we have realized is centralizing all information security, compliance and policy content, which has allowed our team to better self-serve in responding to detailed security and technical questionnaires, reducing the overall involvement of security and compliance resources. Lastly, the response content is always ultra sharp. We utilize the built in review and approval functionality to ensure our responses are being reviewed, revised and approved on a regular cadence.”

In a review for the product Loopio, an administrator in the computer software industry writes, 

“Loopio makes completing tedious security assessments quick and easy. The "Magic" feature helps automatically populate answers before you even start to respond. And the Close Loop feature helps make sure the answer library stays up-to-date as you complete your responses.”

The growing vendor security and privacy assessment market

Recognizing the growth in this particular software market and assisting buyers in selecting the best solution for them, G2 created the Vendor Security and Privacy Assessment software category for this specific type of assessment software, above and beyond traditional third-party risk management in summer 2020. Since the category was launched in July 2020, interest in the category, as measured by page traffic, has grown steadily in the past few months, up 175% since July. 

I’m certain this trend will continue as companies seek to better protect their data.

Disclaimer: I am not a lawyer and am not offering legal advice. If you have legal questions, consult a licensed attorney.

Edited by Sinchana Mistry