When it comes to managing risk, companies often overlook their vendors. But Vendor Risk Management should be an integral element of any robust data security program. A 2020 study by the Ponemon Institute showed 51% of companies have experienced a data breach caused by a third party. The report goes on to say “organizations are not taking the necessary steps to reduce third-party remote access risk, and are exposing their networks to security and non-compliance risks. As a result, 44% of organizations have experienced a breach within the last 12 months, with 74% saying it was the result of giving too much privileged access to third-parties.”
There are several common mistakes that organizations make when dealing with vendors but the good news is that there is a solution. At Ostendio, we deal with customers across many different industries with the same issue: how to mitigate the risk of dealing with vendors while using them efficiently to meet business needs. We help companies strike this balance by avoiding some of the most common roadblocks.
Here are the Top 5 most common mistakes we think you can avoid.
Failing to recognize the risk vendors pose to your business
The numbers don’t lie! We see it in the news on a regular basis - businesses, healthcare systems, and even government departments suffering data breaches due to third-party vendors. Take the recent SolarWinds breach for example where their Orion software was targeted and subsequently downloaded by many multinational companies and government agencies. Don’t put your head in the sand and hope it won’t happen to your business. Just because you have a security program for your own business, doesn’t mean that your vendors have an equally secure system in place. Don’t make the mistake of assuming vendors are secure or thinking that is their issue to deal with. The end result could impact the value of your brand, stock, and future business.
Believing large or established vendors have a strong security program in place
By selecting a vendor, regardless of their size, you must make it a priority to ensure their security programs are robust. For example, do they hold a SOC2 or HITRUST certification? Don’t make the mistake of thinking that a large vendor must have a strong security program or is secure because you have worked with them for a long time. For example, when an established business like Marriott hotels suffered a data breach due to a third party breach approximately 5.2million guests were affected. The bottom line is that large organizations that you might reasonably assume to have a robust security program in place can also experience security breaches. Do due diligence on any vendor, regardless of their size, how well recommended they are or how long you have done business together. Of course, not all vendors have the same risk, so split them into risk categories e.g. High, Medium, Low and then design your assessment relative to the risk. That way you can focus the majority of your effort on those with the highest risk.
Not running a risk assessment on (at least) an annual basis
If you are making this mistake then you are not alone. In 2019, research showed more than half of hospitals interviewed say they've had one or more data breaches caused by third-party vendors in the past two years, with an average cost of $2.9 million per incident. Some might think they’ve done a risk assessment once so why do they need to do it again? Well, the bad actors out there are moving at speed and they are constantly changing and adapting their tactics to gain access to protected or sensitive information. Your business needs to be constantly working to be one step ahead of the hackers. Keeping vendor risk assessments up-to-date annually alerts you to their vulnerabilities. Monitor this by using a system that reminds you when these are coming up for renewal and one that allows you to request the latest information from your vendor. It is worth remembering that the standards and regulations that your vendors align to can change as well so an annual assessment will ensure you hold the latest information on their compliance to the standards you care about.
Failing to include all your vendors in a vendor risk management program
Many companies make the mistake of using vendor risk management for only a restricted number of vendors that exceed certain thresholds of contract value or other metrics, but any third party with ANY amount of access to your systems or data poses a risk that must be documented and monitored. If you know that one of your vendors has experienced a breach, make sure they document how it was handled and show you how they have ensured it will not happen again. Of course not all vendors carry the same level of risk. One tip is to split your vendors into different risk groups e.g. High, Medium, Low which will allow you to assess each relevant to their risk level. This will allow you to assign more effort to those with a higher risk profile.
Not allocating a budget to protect your business
The latest study of vendor risk management shows the average healthcare vendor breach costs $2.75 million and exposes nearly 10,000 records. Clearly there is a lot at stake by not budgeting appropriately for a system to be part of your overall security program. This is a significant investment for your business but, based on breach costs and the damage to your organization’s reputation, the upfront cost of establishing a strong vendor management program could ultimately save your organization in the long run. Look for a platform that is easy to navigate, is integrated into your overall security program and keeps all your records up to date. Consider the standards and regulations that your business follows and make sure that the system you choose is constantly keeping up to date with the standards as they change to ensure your vendors remain compliant.
Remember, any third party with ANY amount of access to your systems or data poses a risk that must be documented and monitored.
Finding ways to “make-do” and cutting corners is never a good idea and often ends up coming back to haunt you. It could possibly be #6 on this list of mistakes! Vendor Risk Management is a process that businesses should take seriously and thinking you can manage multiple vendors with paper spreadsheets instead of a documented system will not end well. Choose a system that alerts you to tasks that need to be completed and can assign tasks to employees in any part of your business. A system that is simple for your organization to use and simple for vendors to comply with ends in a win-win situation.
Avoid making these 5 mistakes in vendor risk management and you will be headed in the right direction to building a strong and secure vendor risk management program. If you want to learn more about Vendor Risk Management, then you should check out our on-demand webinar “Re-Thinking Vendor Risk Management.” This free, on demand webinar shares practical advice on how to assess your vendor risk, with a live demonstration of the Ostendio MyVCM Vendor Connect solution.
Ostendio MyVCM’s Risk Management module leverages the operational data within a customer's MyVCM instance to allow them to operate a truly 3-dimensional risk management program. This fundamentally changes the conversation between the CISO and the CEO from one based solely on security spend, to an informative, data based conversation about what constitutes acceptable risk. The Ostendio MyVCM platform uses real time data so your organization can make decisions using data that is Always on, Always auditable and Always secure.
Ostendio experts are ready to chat about how the MyVCM platform can support your business. Sign up for a free demo of the platform where we can understand your unique needs.
Not sure where to start?
The NIST Guide can help. We can also provide you with a free copy of Ostendio’s password policy, as an example. Just contact us at email@example.com.
Ostendio MyVCM Customers
Learn how Ostendio MyVCM customers like emocha Health, Arklign and Hint Health are using the MyVCM platform to be perpetually secure.