Why vendors may be the biggest security risk to your organization
Of the companies that experienced a data breach in 2021, over 90% of breaches were linked to a third-party vendor. It is an all too familiar risk management story as evidenced by the Okta breach being attributed to a third-party vendor. In an increasingly cloud-based work environment, busy CISOs have hundreds of vendors to manage, and understanding what data third parties maintain and how they protect it is critical to maintaining a robust data security program.
We’ve examined the cost of a data breach and how it can impact an organization’s reputation and bottom line following the Solar Winds attack. However, to prepare for a potential attack, CISOs must also consider why vendors might be the biggest risk to their organization and review how to protect company data against that risk.
Step 1: Track the Number of Organizational Vendors
As organizations continue to increase the number of vendors they work with, tracking individual security capabilities has become exponentially more challenging. In the past, organizations could focus on protecting the data that they manage directly, and even when they did work with a third party, the third party's product was often implemented within their own network environment. But today, everything from our production hosting environment to our sales and marketing tools, financial accounts, and even the way we communicate is provided by a cloud-based third party.
This makes it even more challenging to know where data might be, let alone make sure that your vendor is protecting it appropriately. Even renowned, everyday technology companies have demonstrated a clear disregard for implementing effective security protocols. For example, Zoom recently was forced to pay an $85m fine after FTC alleged that they “engaged in a series of deceptive and unfair practices that undermined the security of its users.”
So how can you be sure your service providers are doing what they should to protect your data?
Step 2: Develop a third-party risk management program to protect data and evaluate risk
Developing an effective third-party risk management program ensures companies are protecting data they manage directly and have a mechanism to understand the level of risk involved when they share data outside of their organization.
While not all vendors will have access to sensitive data, and therefore the risk may not be as consequential, it is critical for companies to assess vendors by risk level and set relevant mechanisms in place to ensure that those who do have access to data are taking the appropriate measures to protect it.
Step 3: Select an Integrated Risk Management tool to assess vendor risk
How do you start a vendor risk management program?
As Gartner outlined in their recent report Emerging Technologies: Top Use Cases in Integrated Risk Management, rather than approaching a vendor risk management program as an independent process, it should be part of a fully integrated risk management program. We typically recommend our customers start by assessing all of their vendors by risk category and reserve the most scrutiny for those categorized as highly critical and critical.
Start managing vendor risk by assessing vendors by risk category and reserve the most scrutiny for those categorized as highly critical and critical.
A select number of integrated risk management platforms, such as the MyVCM platform, allow customers to sort vendors by risk category and for customizable assessments to be sent directly to all vendors with the content of the assessment tailored to the criticality of the risk. This process ties the vendor’s response directly to the organization's own security and risk management program and enables the organization’s vendor to use their own free version of MyVCM to simplify and organize their response.
Once a MyVCM Trust Network connection has been established between an organization and its vendor, an assessment can be scheduled to run on a routine basis, for example yearly. This allows companies to regularly check on the risk category of all their vendors.
The benefits of customizable assessments for vendor risk management
Customizable assessments can be configured to include vendor scoring where thresholds are set, alerting an organization to specific areas of concern. By automating the risk assessment process and highlighting areas that require attention, CISOs can have a higher degree of confidence that they are addressing any areas of increased risk associated with a vendor relationship.
The MyVCM Vendor Risk Assessment module is part of an organization's overall integrated risk management program, allowing the organization to:
Include vendor risk management as a component of their overall risk management program.
Determine how third-party risk stands in its overall risk profile.
Help them mitigate against any possible risks and avoid the data breaches that make regular headline news
We recommend that organizations partner with a vendor risk management expert to help with training and managing their vendor responses, ensuring information is collected appropriately and on schedule. Our clients also work with our risk management experts to help our “vendor” clients facilitate their own customer risk management requests, and incorporate them into our risk management platform to significantly simplify their ability to respond.
Protect your organization against vendor risk
If you are working with multiple vendors and haven’t considered the associated risks that this poses to your organization speak to an expert at Ostendio. Our team can demonstrate how to manage your vendors and evaluate and mitigate the risk to your organization. Schedule time to meet with a vendor risk expert.
Not sure where to start?
The NIST Guide can help. We can also provide you with a free copy of Ostendio’s password policy, as an example. Just contact us at firstname.lastname@example.org.
Webinar: Pass Your Audit First Time
Watch this on-demand webinar to learn more about best practices for a successful security audit.