Vendor Risk Management is a hot topic at the moment and for good reason. A recent study by the Ponemon Institute showed 59% of companies have suffered a data breach at the hands of their third party vendors and many don’t know how to tackle the issue. At Ostendio we deal with customers from across many different industries with the same issue: how to mitigate the risk of dealing with vendors while using them efficiently to meet business needs.
We have helped a lot of companies strike this balance, and we have seen many roadblocks, including some that are easily avoided. Here are the Top 5 most common mistakes we think you can avoid.
1. Failing to recognize how big a risk vendors pose to your business.
The numbers don’t lie! We see itin the news on a regular basis - businesses, healthcare systems and even government departments suffering data breaches due to third party vendors. Don’t put your head in the sand and hope it won’t happen to your business. Just because you have a security program for your own business, doesn’t mean that your vendors have an equally secure system in place. Don’t make the mistake of assuming vendors are secure or thinking that is their issue to deal with. The end result could impact the value of your brand, stock and future business.
2. Thinking that large or established vendors have a strong security program in place.
By selecting a vendor, regardless of their size, you must make it a priority to ensure their security programs are robust. For example, do they hold a SOC2 or HITRUST certification? Don’t make the mistake of thinking that a large vendor must have a strong security program or is secure because you have worked with them for a long time. For example when an established business likeZendesk suffered a security breach last year their customers who were possibly affected included the FCC and Uber. The bottom line is that large organizations that you might reasonably assume to have a robust security program in place can also experience security breaches. Do due diligence on any vendor, regardless of their size, how well recommended they are or how long you have done business together. Of course not all vendors have the same risk, so split them into risk categories e.g. High, Medium, Low and then design your assessment relative to the risk. That way you can focus the majority of your effort on those with the highest risk.
3. Not running a risk assessment on an annual basis.
If you are making this mistake then you are not alone, recent Ponemon Institute research showed that Healthcare providers have an average of 1,320 vendors under contract, but just 27 percent said that they assess all vendors annually. This is clearly a vulnerability that many should be addressing. Some might think they’ve done a risk assessment once so why do they need to do it again? Well, the bad actors out there are moving at speed and they are constantly changing and adapting their tactics to gain access to protected or sensitive information. Your business needs to be constantly working to be one step ahead of the hackers. Keeping vendor risk assessments up-to-date annually alerts you to their vulnerabilities. Monitor this by using a system that reminds you when these are coming up for renewal and one that allows you to request the latest information from your vendor. It is worth remembering that the standards and regulations that your vendors align to can change as well so an annual assessment will ensure you hold the latest information on their compliance to the standards you care about.
4. Failing to include all your vendors in a vendor risk management program.
Many companies make the mistake of using vendor risk management for only a restricted number of vendors that exceed certain thresholds of contract value or other metrics, but any third party with ANY amount of access to your systems or data poses a risk that must be documented and monitored. If you know that one of your vendors has experienced a breach, make sure they document how it was handled and show you how they have ensured it will not happen again. Of course not all vendors carry the same level of risk. One tip is to split your vendors into different risk groups e.g. High, Medium, Low which will allow you to assess each relevant to their risk level. This will allow you to assign more effort to those with a higher risk profile.
5. Not allocating budget to protect your business.
The latest study of vendor risk management shows the average healthcare vendor breach costs $2.75 million and exposes nearly 10,000 records. Clearly there is a lot at stake by not budgeting appropriately for a system to be part of your overall security program. This is a significant investment for your business but, based on breach costs and the damage to your organization’s reputation, the upfront cost of establishing a strong vendor management program could ultimately save your organization in the long run. Look for a platform that is easy to navigate, is integrated into your overall security program and keeps all your records up to date. Consider the standards and regulations that your business follows and make sure that the system you choose is constantly keeping up to date with the standards as they change to ensure your vendors remain compliant.
Finding ways to “make-do” and cutting corners is never a good idea and often ends up coming back to haunt you. It could possibly be #6 on this list of mistakes! Vendor Risk Management is a process that businesses should take seriously and thinking you can manage multiple vendors with paper spreadsheets instead of a documented system will not end well. Choose a system that alerts you to tasks that need to be completed and can assign tasks to employees in any part of your business. A system that is simple for your organization to use and simple for vendors to comply with ends in a win-win situation.
Avoid making these 5 mistakes in vendor risk management and you will be headed in the right direction to building a strong and secure vendor risk management program. If you want to learn more about Vendor Risk Management, then you should check out our on-demand webinar “Re-Thinking Vendor Risk Management.”
Not sure where to start?
The NIST Guide can help. We can also provide you with a free copy of Ostendio’s password policy, as an example. Just contact us at firstname.lastname@example.org.
Avoiding the Hidden Pitfalls of Security Audits
In this webinar, see the 5 most common pitfalls of security audits and learn how you can avoid them with the power of MyVCM CrossWalk Assessments.