Mandarin Oriental is the latest big company to see its name added to the list of organizations suffering a data breach via their point-of-sale (POS) systems. The luxury hotel chain confirmed that malware infected their systems—which are still using Windows XP—and that customer credit card data was stolen.
Vulnerable POS systems have become a common access point for cyberattackers over the past few years; the Mandarin Oriental breach is only unusual in that the organization caters to a high-end clientele. One goal risk professionals strive for is to ensure that vendors are doing everything possible to minimize risk posed not only by payment card platforms, but also a variety of other systems and processes. Often, the method risk staffs use is a risk assessment Excel spreadsheet, sent to and answered by key third parties. This option is inexpensive compared with automated solutions, and it is designed on a platform familiar to most digital employees. However, this option may prove to be more of a detriment to the companies initiating the screenings. Here are four ways risk assessment Excel spreadsheets may not help your business:
1. The spreadsheet is old
A major issue with a risk assessment Excel spreadsheet is that you might not know how recently the screening has been updated, if at all. In other words, you might be assessing a vendor with the hopes of addressing today’s threats, yet with a questionnaire designed five years ago (and not updated since). Windows XP is a perfect example of an outdated focus: If a risk assessment isn’t acknowledging that the operating system is no longer supported, the screening is behind the times—and your data will be faulty. Most vendor risk management software platforms solve this dilemma by offering assessments that are continually updated to reflect the latest concerns, revisions, and threats.
2. The vendor takes too much time to complete the assessment
Another weakness of a risk assessment Excel spreadsheet is the time required to complete the screening process on the vendor’s end. One spreadsheet is forwarded from individual to individual and department to department, and extra time is required for it to be completed, one section at a time. A process that should only take a few days might stretch weeks or longer; any risks that might be present languish undiscovered, just waiting to turn into something more serious. Automated solutions help by allowing for delegation of assessments sections to relevant employees and respondents, thus permitting the entire screening to be worked on simultaneously.
3. Your staff is overwhelmed
Once a vendor completes a risk assessment Excel spreadsheet, the fun really begins. Risk professionals must then pore through the results, often question by question, to arrive at any sort of meaningful analysis. The process takes time—time that risk staffs don’t have, time that is added to the weeks required just to get the spreadsheet back from the vendor in the first place, and time that could be devoted to other risky vendors.
4. The assessment produces inconclusive data
Logistical obstacles of a risk assessment Excel spreadsheet can be annoying but might be tolerated by some risk staffs. Bad data generally cannot. If a spreadsheet-based assessment’s rating system is flawed (if it has a rating system at all), the results might not give you the results you are looking for. Worse yet, the data might be skewed, thus leading to ill-informed decisions. Automated solutions that employ comprehensive risk scoring produce comprehensive, streamlined results that give risk professionals confidence that their management choices are being made with the best information possible.
What has been your experience with a risk assessment Excel spreadsheet?