You probably already know a little bit about vendor risk management.
Look at the two car lots in the above picture. Which one would you trust with your vehicle purchase?
Congratulations! You’ve just practiced vendor risk management.
When it comes to B2C vendors, we know that our purchases can carry risks and are on the lookout for unsavory practices by vendors and suppliers that threaten our finances or safety.
The risks B2B vendors pose aren’t as immediate or intuitive, so a lot of small and midsize organizations don’t have the capability to sniff out and avoid risky vendors.
Good news: our organization’s “noses” can be trained with the creation of a vendor risk management program; as any organization grows and builds out a cybersecurity program, they will have to develop this capability.
What is vendor risk management?
Vendor risk management is the practice of identifying and reducing the risks posed to your organization by its third-party vendors. In cybersecurity, vendor risk management is particularly focused on risks associated with the data your organization shares with third-parties, or the critical IT infrastructure vendors provide for your day-to-day operations.
Why is third-party security important?
Third-party security is important because vendors often pose large risks to their client organizations, especially if they provide critical IT services or handle sensitive data. Vendors are commonly used as vectors to target their client organizations in supply chain cyber attacks. In fact,
over 56% of cyber attacks since the start of 2021 have involved supply chain risks.
What is an example of a vendor risk?
Every vendor your organization uses has the potential to bring several risks with it.
Say your organization, like most, relies on a SaaS human resources management system (HRMS) to run payroll, manage benefits, and administer vacation time. In the event that this vendor is compromised, your company could lose the ability to perform any of these vital functions. These systems also often contain a great deal of PII about your employees – all of which could potentially be stolen or leaked if that vendor was compromised.
And this is just one vendor! Every vendor you share data with or provides important business functionality has the potential to cause your business harm in the event that they suffer a cybersecurity incident.
Assessing and managing vendor risk is the best way organizations can protect themselves from these supply-chain incidents and cyber attacks.
What should be in a vendor risk assessment?
There are a large number of factors to include in a vendor risk assessment:
What type of data, if any, you are sharing with a vendor.
How important the functionality this vendor provides is to business operations.
The severity and type of damage an incident with this vendor would cause.
The quality of the vendor’s cybersecurity program – are they certified or compliant with any major standards such as
ISO 27001 or SOC 2? Internal controls you have in-place around the use of this vendor.
A remediation in plan for the vendor’s cybersecurity deficiencies, if needed.
This is not a comprehensive list, but it is a good starting point. Organizations may change what specifically they’re looking at based on their business needs and risk tolerances.
Let’s take a look at what each of these factors entails, and why they’re so important.
Type of Data
The type of data you share with a vendor is one of the most important factors of assessing a vendor’s cybersecurity risk. If you don’t share sensitive data with a vendor, then there is little danger posed to you in the event of this vendor suffering a data breach. However, a vendor that stores personally identifiable information (
PII) on your behalf poses a much larger risk. Your customers will not be happy if the vendor you chose to trust with their data ends up being the source of a major breach and data leak!
The specific classifications you use may depend on your business, but here are five you can use as a starting point:
None. No data is being shared with the vendor.
Public. Only publicly-available data is being shared with the vendor. For example, data about your competitors shared with a market research firm.
Confidential. Confidential data is widely available to employees and other trusted parties, but not to the general public. For example: employee handbooks, training guides, policy documents, employee business email addresses.
Sensitive. Sensitive data is typically only available to individuals on a “need-to-know” basis. This commonly includes financial reports, sales forecasts, bank routing information, source code, and more. Many SaaS vendors require or store a great deal of your organization’s Sensitive data. Do you know who they all are, and how good their cybersecurity programs are at protecting them?
Protected. Protected data is sensitive information that’s subject to additional regulatory, compliance, or contractual obligations. This often includes protected healthcare information (PHI), credit card numbers, and other PII.
Importance of Functionality
Some vendors provide services that are more critical than others. You probably don’t need us to tell you that the cloud infrastructure running your product is more critical to your business’s day-to-day functionality than the pentesting firm that comes in once per year!
Even if you don’t share a lot of data with a vendor, they could pose a grave risk to your business if a service outage would bring your operations to a grinding halt.
Taking the previous two factors into consideration you can pull together an understanding of the type of damage a vendor incident could cause your organization. Would it stop your operations? Result in stolen customer or employee data? Or just be an inconvenience while they resolve the issue? Take note of the possibilities.
Quality of Vendor Cybersecurity
When assessing a vendor’s cyber risk, you must evaluate their cybersecurity program. You can do this by providing a cybersecurity questionnaire, requesting their SOC 2 report, or requesting their certification status (ISO 27001). Vendors with strong cybersecurity programs are generally less likely to suffer an incident that impacts their customers.
You don’t have to be a cybersecurity expert to make an evaluation on behalf of your company. View our guide on
how to read a SOC 2 report to get an idea of what to look for when assessing a vendor’s program.
Your Organization’s Internal Controls
You can mitigate some of the risk associated with your vendors by running an
internal audit and implementing internal cybersecurity controls surrounding their use. Some example controls you can use include: requiring multi-factor authentication (MFA), auditing your usage of the vendor periodically, and implementing a data policy which clearly limits what can and can’t be shared with the vendor.
In the event that a vendor has lackluster cybersecurity, they may have existing remediation plans in place to improve things. If they do have one, and are following through, the risk they pose to your organization will likely be less than what your initial evaluation reveals and could continue to decrease over time.
When to perform a vendor risk assessment
Most organizations will begin performing vendor risk assessments when there is a demonstrable business need, such as a new compliance program. Individual vendors may be assessed in the following scenarios:
The vendor provides a critical functionality that would interrupt business operations if compromised.
The vendor’s contract is up for renewal.
During the vendor selection process.
It’s also a good strategy to tie the implementation vendor risk assessments to another, related initiative. When a vendor risk management program is mature
, organizations will perform vendor risk assessments within the vendor selection process.
However, there’s no time like the present to start assessing your vendor risk! There are a number of positive outcomes that will arise as a result of the practice:
Duplication. Sometimes, different departments will select different vendors to provide the same function. Do you have multiple vendors doing the same thing? Compiling a complete list of vendors can help surface unnecessary duplication.
Critical Functionality. If there is a fear that losing a vendor’s function could force company operations to cease, it would be wise to assess their security and business continuity even as a one-off.
Cybersecurity. If you are building a cybersecurity program, especially if it’s one to comply with frameworks such as SOC 2 or ISO 27001, vendor risk management is enough.
What does a vendor risk assessment look like?
Vendor risk assessments will vary based on each organization’s situation. It’s important to consider the following when determining your vendor risk assessment:
What vendors are most important to your operations?
What is your business’s risk tolerance?
What level of due diligence is warranted for a given vendor? Core business applications should receive a greater level of attention than management consultants, for example.
If a vendor is not significantly important to business operations, then it does not warrant a risk assessment – though it should still be included in your vendor register!
What risk management questions should you ask your vendors?
You should always ask questions that are relevant to your business’s risk management and cybersecurity needs. The most efficient way to ask and get the answers you need is through a vendor risk questionnaire.
Here are some sample questions to get you started:
Does your organization possess a cybersecurity policy and a team of proficient resources dedicated to cybersecurity? Have you employed this policy to execute a cybersecurity evaluation, or have you undergone a similar assessment through a third-party entity?
Is the third-party vendor consistently reviewing user privileges, ensuring they align with the principle of least privilege?
Could you please elaborate on your breach notification policy? Is the practice limited to notifying only the affected customer whose data has been compromised, or do you extend notifications to all customers?
Has the third-party vendor established a current information security program, complete with documented policies and procedures?
Do you employ monitoring tools to oversee your organization’s network and the software being utilized? Is it permissible for employees to download free or open-source software without the need for prior authorization? We would appreciate it if you could provide a comprehensive inventory of the software and tools currently in use within your organization.
Have their employees received training in fundamental security best practices aimed at deflecting social engineering attacks, as well as safeguarding against phishing and scams?
Do you maintain a roster of vendors with whom you’ve outsourced services? Is there a structured vendor risk management strategy in effect for conducting risk evaluations with these vendors? Additionally, do you have a dedicated team responsible for vendor risk management? We kindly request that you provide your vendor list along with insights into your vendor risk management approach.
Could you please elaborate on the procedure they follow for notifying you when your data is shared with other parties or subcontractors?
Have you implemented a disaster recovery plan? If so, has your organization ever had the occasion to put this plan into action? We kindly request that you share the details of your disaster recovery strategy.
Do they utilize mechanisms to manage access to areas housing sensitive information assets?
As a part of your organizational practices, how do you guarantee the adherence to security guidelines, particularly within the Software Development Life Cycle (SDLC)? Is there a comprehensive procedure for security testing or review of all the products developed? Moreover, do you provide
cybersecurity awareness training to your employees to enhance their capabilities during the development and testing phases? Have they implemented an
incident response strategy? Are they open to establishing cybersecurity requirements via a formal agreement?
Cybersecurity questionnaires are often constructed and distributed as spreadsheets, but there are a number of software tools available to create, distribute, and receive answers for them.
How does vendor risk management influence the process of initially selecting vendors?
A vendor risk management program will influence the vendor selection process by requiring prospective vendors to provide information about their cybersecurity programs, privacy practices, and business continuity plans. The program will often prevent the purchasing organization from selecting vendors with lackluster controls – or require contractual obligations to pursue cybersecurity compliance such as SOC 2 or ISO 27001.
If you do business with an organization that has lackluster controls, you inherit their risk. By allowing your vendor management program to influence the selection of vendors, you are avoiding or mitigating the risk they pose to you.
How do you carry out a vendor risk management strategy?
While a lot goes into vendor risk management, the core activities can be boiled down into three main points: establishing vendor standards and baselines, standardizing onboarding and offboarding processes for vendors, and running annual vendor reviews.
Establish standards and baselines. If a vendor doesn’t meet some baseline criteria, they are removed from consideration!
Create standardized onboarding and offboarding processes. The offboarding process is especially important for security. You do not want old vendors hanging around with access to your files or systems!
Create and implement an annual vendor review process. Reviewing each important vendor’s security on an annual basis will allow you to catch any decline in their security program. It can happen as companies grow or leadership changes!
The result implementing a vendor risk management strategy is smart vendor selection and significantly reduced exposure to third-party risk.
Which tools or resources should organizations adopt for vendor risk management?
There are a number of tools and resources available for vendor risk management. They include:
Standardized questionnaires that vendors may be familiar with and even have answers readily available for
Risk assessment brokers/security scanning tools, which quickly provide additional information about a vendor’s security posture
Third-party attestations (SOC 2), or certifications (ISO 27001, CMMC, TX-RAMP, FedRAMP)
Using or following industry-standard material will help you, your vendors, and your own customers more quickly communicate about risk management. Notably, SOC 2 reports or certifications like ISO 27001 often replace the need for a questionnaire, as a trusted third-party has already evaluated the vendor’s security.
How to respond to a vendor breach
Before you even respond to a vendor breach, it’s important that you are prepared for one. Your contracts with important vendors should include language that requires them to disclose breaches to you within a given timeframe (often 24 or 48 hours). Unless you are one of their largest customers, the vendor is unlikely to extend this courtesy to you by default. You need to go out of your way to ensure that your organization has a seat at the table in case of an incident.
If an incident does affect you, it’s time to activate your
incident response plan. When a breach is wholly within a vendor’s systems, then you will be reliant on their containment, response, and recovery actions.
How you could be affected and should respond depends on a couple of factors:
What data did the vendor store or process on your behalf? Customer data being compromised in a vendor breach could put additional notification requirements on you.
Could the threat actor use data or credentials gained in this breach to compromise your systems?
The compromised vendor may provide instructions to affected customers to protect themselves from subsequent attacks; follow them quickly.
Vendor risk is something unique to every organization. Each organization faces its own set of risks and has its own risk tolerances. What might be an acceptable risk for one company could be unthinkable for another.
How exactly you go about implementing vendor risk management at your organization will vary based on these factors. If you want to know how to get started on your program,
we have a full guide for you here.
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.