When it comes to building a security program, one of the most frequently overlooked areas is that of vendor management. Organisations may focus significant resources on internal security, such as vulnerability scans, centralized log management, or user training, while not extending the same diligence towards their third-parties. Therefore, organisations end up trusting the security of their network and data to an unknown and untested third-party.
About the author
Zachary Curley, Consultant at AT&T Cybersecurity.
If an organisation cannot verify the security of its third-parties, then it has introduced the potential for risk and reduced the integrity of their system. Because a chain is only as strong as its weakest link, it is essential to realize that even if the cause of a breach is due to a third-party, it is still your company’s name and brand at risk. What’s more, other potential costs associated with a data breach can include fines, loss of trust, data loss and brand damage.
Risks posed by poor vendor management
Some organisations may find themselves thinking, “what damage could vendors really do?” The answer to that question will vary based on the access, control, and data that are provided to them. For example, if the office caterer was breached, the overall risk to the organisation is easily contained by simply canceling whatever card was offered to them.
On the other hand, if it was the third-party accountant or lawyer, the organisation could suffer far more damage. In this example the organization could be releasing highly private and potentially valuable data into unknown systems, with unknown controls and unknown users. This line of thinking can apply to any organisation and any vendor, regardless of size or industry, and can help them identify where to focus efforts.
Any vendor that has access to systems or data is inherently a risk to the company. Every threat or vulnerability faced will also be by vendors. The questions becomes how confident is the organization that the vendor takes these threats as seriously? Or are they even aware of them?
Steps to reduce vendor risk
There are a few steps any organisation can take to develop a more robust stance on vendor management. It must be noted that to build a truly effective and mature program, organisations must be willing to dedicate the time and resources to do it right.
A vendor management program should have, at a minimum, the following components:
A vendor management policy should cover the purpose behind assessing vendors, staff responsibilities, communication channels, and other core components of the overarching program.
Along with the policy, the organisation will need several defined procedures to implement and manage the vendor management program effectively. These procedures can include:
Defining the criteria by which vendors will be assessed is the first procedure that must be built. This guides staff when it comes to requesting documents from vendors and covering the correct topics. Workflows should also be developed to create a robust and repeatable process that can be improved and matured.
This procedure should outline requirements for documentation collection and provide guidance on how to collect and store the necessary information. Document management is key for a long-term program, especially when it comes time for reassessment.
Outlining the acceptable forms of evidence that can be presented to attest to security will streamline and speed the process of reviewing vendors. Specific requirements may vary by the size and type of vendor, but can include things like audit reports, redacted penetration tests, certifications, or policies.
Any of the above procedures or processes that are created should be relevant to the size and scope of the program and must fit in with the organisation’s general operations.
To provide that resources are used effectively, organisations should come up with a ranking system to classify vendors. While there is no ‘right’ answer to ranking vendors, a few metrics to use to determine critically are:
- Sensitivity of data they receive
- Volume of data they receive
- Importance of service they provide
These can be used by themselves or combined to form a more robust ranking system. There are other ways to rank vendors and pick the metrics that best fit the organisation.
As part of the policies and procedures supporting this program, there should be defined staff who serve as escalation points for any issues or security concerns. These staff should be senior members of the organisation or those with authority to make decisions. This is a necessary component of any program because, unfortunately, not all vendors will be willing to remediate gaps, or even undergo an assessment. In these cases, it is up to the assigned staff members to determine the best course of action.
Make sure to have standardized contracts with vendors that include things like service level agreements (SLAs) to provide that vendors are actually obligated to provide the services that are bought from them. Without an SLA, organisations have little recourse if the vendor suffers long-term outages, or otherwise fails to deliver the promised service(s).
Internally, these requirements should be monitored by the specific teams or employees that work with these vendors regularly. The staff using the system or working with the vendor will be in the best place to notice abnormalities or contractual failings.
Vendor management is a complex and time-intensive task which many organisations do not and - in many cases - cannot dedicate the time and resources to managing. But it must not be underestimated as a cornerstone of any cybersecurity initiative. For companies with a small number of vendors, this can be manageable, but most organisations will need additional support to create and implement a vendor management program effectively. By dedicating resources to developing a program, organisations can begin to understand and work to eliminate the threats posed by their third-parties.
- Need to protect your business online? We feature the best endpoint security.