How Much Do You Trust Your Vendors
February 18, 2021
Any given organization will likely keep a long list of third-party vendors. They cover a wide range of functions, and—although not enough people consider this point—they cover a broad range of security profiles as well.
While many organizations are now keenly aware of how much time, effort and foresight they must put into their own security, many don't consider whether the vendors they bring in are equally secure and what risks they bring in.
Vendor security can and should vary depending on many factors, including a vendor’s level of data access, the role they play in the finished product, and the public association they have with your organization. The company that delivers a bi-weekly lunch doesn't deserve the same scrutiny as the accountant who comes in once a year to do your audit and pour through your books, or the dev team that's creating your new app. Yet many companies don't have the oversight necessary or the processes in place to account for these.
How vendor security breaches affect you
The risk that vendors can expose you to is significant. In the data breach of NordVPN, one of the most well-known and reputable virtual private network (VPN) providers, one third-party server supplier used a vulnerable remote management system which created an opening for a security breach. While NordVPN claims that the data breach was incredibly limited, the media fallout was extraordinary and the burden of damage control was placed on NordVPN.
In 2018, Best Buy, Sears, Kmart, and Delta customer data was exposed to hackers. In this case, the point of origin was 7.ai, a chat support vendor. The third-party vendor discovered the hack in October and informed their four clients in March — nearly half a year later. The statement 7.ai released to the public was brief, and mentioned they were “cooperating fully to ensure the protection of our clients.” Despite this, credit card information of potentially hundreds of thousands of Best Buy, Sears, Kmart, and Delta customers was exposed, even if they had never used the chat system.
In both of these cases and hundreds more, the point of weakness was not any oversight within the company but instead through a third-party vendor. What’s more, the vendors often don’t take the brunt of the heat for a security breach. If you're not carefully vetting these suppliers, you are setting yourself up for a potential disaster.
Preventing organizational risk
The best course of action to protect your organization from third-party vendor security breaches is two-fold. First, prevent risk wherever possible.
• Assign a specific person the role of evaluating third-party vendors across multiple dimensions. After all, there are different types of risk: there is the risk that a vendor is new and will go out of business soon, there is the risk that they won't produce the best result, and there is the risk that they will be hacked. Someone who is not a stakeholder in the outcome needs to be available to evaluate all of these risks and report back. In some instances, the nature of the service or product may require more technical expertise. There is a very good chance that multiple lines of business may have to be involved in the initial assessment or evaluation.
• Ensure that this person has a seat at the table during the decision making process. Your supply risk manager should be able to present his or her case and be candid about what the potential pitfalls are.
• Your supply risk manager should be given the appropriate resources and time to create a security assessment profile of vendors. This should include taking the time to request and contact references, submit requests for information related to past breaches, and conducting negative news searches. The goal should be to find out anything and everything you can about their historical (and therefore future) risk before integrating a vendor into your process.
Minimizing damage from the inevitable
However, some risk is inevitable, and eventually, your organization may have to face the possibility of a data breach. Joseph Demarest, Jr., Associate Executive Assistant Director of the FBI and former Assistant Director of the FBI’s Cyber Division, says simply, “you’re going to be hacked. Have a plan”.
The key to minimizing damage is to create this plan of action before a breach occurs. A global study sponsored by IBM found that the larger the delay in detecting, containing, and resolving data breaches, the more costly it is to resolve.
• Each area of risk, whether operational, financial, reputational, or regulatory compliance should have its own set of protocols laid out in advance, preferably with their own personnel dedicated to its management. Consider hiring a business continuity manager to ensure normal operations, sourcing an incident response team to protect the financial end of your business, a media relations specialist for reputation, and legal counsel for regulatory compliance.
• Conduct regular tests of the systems you have put into place. Run mock crisis situations and see where your plan is successful and where it falls short, and continue to improve it, integrating new vendors as they are integrated into your process.
Lastly, risk is everywhere, but whether you accept that risk should be decided upon systematically, not in an ad hoc fashion depending on how urgently you require the services of a specific vendor. This is key— decide ahead of time how much risk and what type you are willing to tolerate.
If you should require the services of a vendor, be sure to do your homework about their history— inform yourself of the potential for future risk. Then, create a plan of action to deal with that risk. Lastly, be sure to test your plan in mock scenarios, and update it as need be.