Posted on Jul 3, 2018
An effective vendor risk management (VRM) policy can help organizations prioritize their vendors based on the risk they pose and provide those vendors with the necessary steps for mitigating risks. Vendors often come with IT security concerns of their own, which your organization will be responsible for mitigating should you decide to work with them.
While many organizations have an internal security policy in place, they often lack a clear understanding of the inherent risks third-party vendors pose. With the cost of a data breach continuously on the rise, it’s more important than ever for organizations to proactively protect their cybersecurity network, as well as those of their vendors.
While organizations may have a cybersecurity program in place for their own network, many have a tendency to overlook the security posture of their vendors. A vendor risk management policy plays a critical role in securing your entire ecosystem.
Explore 4 reasons why your organization needs a vendor risk management policy:
Industries like finance and healthcare have strict compliance standards they must adhere to such as HIPAA or PCI DSS. If an organization is found to be non-compliant they may be faced with lawsuits, even if the error occurred due to a third-party vendor’s negligence.
Third-party vendors often have access to your sensitive data, which makes you an easy target for attackers to exploit. If a vendor does not have the proper systems in place to protect against hackers, you are putting your own organization’s most critical data at risk.
Many organizations lack insight into the IT security vulnerabilities posed by their third-party vendors, making them extremely vulnerable to attacks. Without the ability to see into your vendors’ networks your organization has no way of knowing, preparing for, or mitigating the risks that they bring.
Many of the top data breaches in the news today were due to third-party negligence. According to Ponemon, the cost of a data breach is roughly $3.92 million. In cases where the data breach was caused by a third-party vendor, that cost rises by more than $370,000.
Setting up a comprehensive vendor risk management policy can be a daunting task, but it is a critical step for organizations that want to effectively and proactively monitor and mitigate risk.
Take a look at 6 essential steps for developing a successful VRM policy:
The first step of an effective vendor management policy is asking “who are my business’ third and fourth-party partners?” This step involves creating a list of all your vendors, including every third-party vendor, contractor, and even their partnerships and third-party vendors. Vendors are a service asset, so the same way that you catalog your systems and networks, you need to put together a list of your vendors. This list helps you focus on the risks to your ecosystem. Starting with the “who” of a vendor management process allows you to move to the “what.”
Once the list is created, there are two important classifications for each vendor. The next question to ask yourself is, “what access do vendors have?” Then determine the following:
Vendors will pose different levels of risk and thus will require different data protections. Key points to consider are the services provided, a vendor’s access to internal data, and the sensitivity of the data involved such as confidential client data, passwords, and identifying information.
Not all vendors require the same system, network, and data access. A healthcare plan that works with your human resources department accesses different information than your marketing management system. The information and networks vendors need to do their work will help define the level of criticality and impact. These, in turn, define the risk.
Once you have determined the risk your vendors pose, you may notice that they fall into a variety of risk categories. These categories define the controls you put in place to mitigate the risks. For example, a system or network access control might include role-based access controls. Vendors accessing personal health data or personally identifying information must be better secured than those accessing publicly available information, or those not accessing systems at all. By aggregating third-party service providers into role-based profiles, you can better organize the controls that apply to them.
Now that you have reviewed the risks your vendors pose, you need to establish procedures for continuous and ongoing monitoring, onboarding third parties, procedures for termination, and oversight. Vendor risk management policies start with the risks posed and end with the action items that protect your company from those risks. For example, if you are a retail organization using a payment processing system that experiences a data breach, your business may go bankrupt. Your vendor risk management policy procedures start with trusting vendors but ultimately require verifying them.
Your vendor management policy should incorporate a discussion of:
Vendor management requires continuous monitoring and oversight, and your policy needs to clearly state how you plan to do this. Historically, organizations have used audits to assess a vendor’s stability, which provides a snapshot of a vendor’s cybersecurity strategy and the effectiveness of their controls. However, because these audits only act as point-in-time assessments, it is not always an accurate representation of an organization’s cybersecurity posture. Additionally, hackers do not limit themselves to a period of time and are constantly evolving their cyber attacks.
Therefore, a critical piece of a good vendor risk management policy is to incorporate continuous monitoring beyond audits.
Finally, your policy needs to address how you plan to mitigate a vendor risk once vulnerabilities have been identified. Once you detect a vendor whose security posture puts your organization at risk, you need to outline what steps should be taken to mitigate said risk. Action items can include contacting the vendor, monitoring their remediation process, and in some cases, terminating the relationship.
While creating and maintaining an effective vendor risk management policy takes a substantial amount of hard work and effort, the threat to your organization is very real. To mitigate the risks third-party vendors pose, you must audit and continuously monitor their activities. Failure to do so could cost your organization.
SecurityScorecard enables organizations to develop an efficient vendor risk management policy by providing continuous visibility into not only their own network but those of their third or fourth-party vendors. Our security ratings assign an A-F score based on identified security issues within the context of the company’s size and digital footprint. By reviewing vendors across 10 groups of risk factors, organizations can see exactly how well they are protecting themselves against an evolving threat landscape. With SecurityScorecard’s easy-to-digest vendor ratings, you’ll gain invaluable insights into the potential risk of third-party vendors and prevent cybersecurity attacks before they become problems.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 9 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.