As a business owner, you often work with vendors or third-party suppliers whose information technology solutions ease your business processes. For example, you might need a web application to provide employees with remote working solutions or your payroll department may need programs that aid in distributing benefits. Not only must you develop a good working relationship with your vendors, but you must also put plans in place to manage security risks posed by working with these third-party suppliers.
Managing vendor risks
Identifying and managing risks with all your vendors is a key part of your business’s success. Depending on the type of relationship you have established with a vendor, you may face a number of different types of risks.
Determine the person in company responsible for managing the relationship with the vendor. Also, identify the person within the vendor organization managing the relationship with your company. In very small businesses, the owner may be responsible. In larger companies, the relationship manager may be a department head, a legal department, or a senior executive. Identifying this individual (or individuals) clears communication and manages the tasks involved in following up on any issues with the vendor.
Vendor risk also incorporates the relationship’s length. A one-off implementation project lasting three months may appear to be lower risk than an ongoing systems service contract. However, this assumption is faulty. Long term contracts and short term contracts have different risks, not necessarily different levels of risk. For example, the short term implementation project may require more access to your systems and revoking the user access may be overlooked at the end. Meanwhile, the long term contract incorporates continuous access risk.
Rating risks means understanding the types of risks that a vendor poses. Incorrect data input can lead to reputation risk. Meanwhile, data publication can lead to legal risk. Therefore, you need to specify the different types of risk that your vendors pose to understand your data security ecosystem.
Identifying the who, what, and when of vendor risk allows you to develop an appropriate plan to mitigate them and manage the relationship. Your plan must detail accepted vendor security behaviors and responses to data breaches. The document should be complete with check-lists, step-by-step instructions of any processes, and should serve as a compliance guideline for your HR department and legal teams.
Identifying vendor risks
Identifying risks allows you to address their mitigation more purposefully.
Compliance and Private Data Risks
If you need to share private employee or customer information with your vendors, you put your organization at risk for compliance or security breach risks. In healthcare, for example, a breach can lead to thousands of dollars in fines under HIPAA.
Reputation and Legal Risks
If you are working with a third party that has direct access to your clients’ information, you run the risk of damaging your reputation. For example, PCI DSS compliance, the IT standard that focuses on cardholder data and payment processing, does not include fines, like HIPAA does. However, a PCI compliance failure means credit card companies won’t allow you to process payments. Additionally, customers will not trust you with their information and so you lose sales revenue. Finally, customers may sue you if someone steals their identity or uses the information to make fraudulent purchases.
When reviewing the financial risks a vendor brings with it, you may traditionally think in terms of credit ratings. However, information security financial risks often fall into the operational risk bucket. You integrate vendors as part of your daily business operations. A vendor’s operations, such as being slow to patch known vulnerabilities, can lead to a data breach. That breach impacts customers, like you, in the vendor’s supply chain. The financial risk to your organization may be anything from system access failure that costs you money for business interruption to customer private information being leaked that leads to money spent on fixing the issue.
How to minimize vendor risks
A service level agreement (SLA) is the most effective way to minimize vendor information security risks. To best protect your organization, your IT department and legal department should do the following when crafting an SLA:
- Verify that the vendor has professional liability insurance and cyber liability insurance.
- Request recent financial statements or talking with the vendor’s bank to ensure they are a financial solvent organization.
- Research the vendor to determine that it has not had data breaches.
- Verify any additional licensing or regulatory compliance needed related to HIPAA, government security, or financial regulatory compliance.
- Require an security policy that focuses on system management and data protection
- Review service availability, including vendor ticket information and previous service outages
- Establish defect tolerances including metrics around incomplete backups/restores and errors in coding
- Metrics over anti-virus and patching that develop reasonable preventative measures
- Going over the contract with the vendor to ensure every part of it is understood and that there are no questions or gray areas that may cause misunderstandings down the line.
Additionally, you need to make sure that you protect your own IT landscape from vendors. This means that you need a vendor management process steps that outlines the following:
- Access privileges for vendors
- Control over providing and revoking access
- Access reviews
- Password management policies
- Authorization policies
- Authentication methods
When determining vendor access to your systems, you want to focus on providing the least access necessary for the vendor to do their job. Using the least necessary privilege authorization and access method provides you more control over your data.
Monitoring your vendor ecosystem
SLAs only protect your company if you review your vendors to make sure that they are meeting the requirements. Information security’s vendor management mantra is “trust but verify.” The basis of your vendor relationship is trust, but you also need to verify that your vendors are protecting information the way they promise. In some cases, vendors may lie on questionnaires, but more often, a vendor’s daily operations make mistakes. Unfortunately, those mistakes put you at risk.
Therefore, you need tools to help you establish an ongoing verification process. Third-party collaboration and communication is key to successful ongoing monitoring. You should clearly communicate with your third-parties what will be monitored and tracked as an
attempt to improve the security posture of all parties involved.
You should already be engaging in continuous monitoring for your own security through tools, solutions, and other processes. One option is to use these same tools and processes to monitor any integrated systems that your third parties own. Keep in mind that even if you are using tools that won’t alert your third-parties, if any issues arises, then you should reach out to them to begin remediation.
Some examples of ways to establish appropriate monitoring are:
- Establish a vendor risk management officer or office whose primary focus is continuously monitoring vendors.
- Mark goals like lowering the average number of days passed between a patch being released and a patch being applied or increasing the frequency of open port scans.
- Review vendor password health to keep a vendor’s breach from impacting your organization through a leaked email address
- Monitor employee turnover rate and increases in hiring since that opens up new endpoints which increase risk
- Communicate your findings with the vendor regularly
How SecurityScorecard enables vendor management
SecurityScorecard constantly scans the internet to see what a hacker sees. We then provide that information back to you with our easy-to-digest ratings system that grades vendors on an A-F rating scale. This helps you better monitor your ecosystem by easing the steps it takes to see your vendors’ protection methods. For example, unless you work for a vendor, you traditionally cannot see how fast they patch a vulnerability in their systems. With SecurityScorecard, you have insights into this information that allow you to verify your vendors’ responses. Moreover, our platform helps you see what emails and passwords have been compromised so that you know if a vendor poses a risk based on leaked data. Our Scorecards allow you to target vendors’ weaknesses so that you can communicate with them.
The vendor risk management process is cumbersome but necessary. However, to protect your information as well as your customers’ information, you need to find a way to work with others safely. Understanding your risks and managing them with the appropriate contracts allows you to determine the metrics you need for continuously monitoring vendors. SecurityScorecard eases the burden of monitoring and helps you protect yourself by helping you communicate with your vendor.