In this article, we will share some of our vendor risk management best practices for information security. It’s important to have a methodical approach to determine the risk level of your vendors. Why? If your vendors don’t have strong security, YOU don’t have strong security.
You probably remember Target’s big third party breach in 2013.”Target had reported that hackers stole data from up to 40 million credit and debit cards” (Joyce, 2017). Many people don’t realize that it was actually a third party vendor, Target’s HVAC company, that was the initial cause of a hack. IBM Security reported in 2019 that breaches involving a third party increase the total cost of a data breach by $370,000.
Vendor risk management for information security is crucial, and we’re going to share some of our vendor risk management best practices in this article.
A vendor list usually includes company name, address and phone number. We argue that this is not enough information. Unfortunately, a majority of vendors pose some sort of security risk to your company because they can have access to your data, network, systems, or physical location.
Below we list 9 important components to include in your vendor list template. This means your vendor list will essentially act as a security snapshot of your current and former vendors. Let’s get started.
No matter the size of your business, having a well maintained vendor list is a good idea. It will save you time to have a master list, instead of having to ask a colleague or dig through your email to find the right contact information.
Depending on your industry (we work with clients in heavily-regulated industries like financial services, healthcare, and government contracting), it may be required or strongly recommended to have an up-to-date vendor list.
There are also some security-related reasons to have a vendor list. If you are notified of a breach, and it’s a vendor that you use, having a current security-focused vendor list will make it easy for you to determine next steps. It also provides peace of mind that you have a complete list of vendors and a snapshot of their access and security measures.
A vendor is an external organization that provides a service or product for your company. For information security-specific reviews, we tend to focus on any vendors that may have access to your sensitive data, finances or network. A vendor could be your payroll service provider, IT provider, electronic billing providers, manufacturers, and more.
Think of what systems you use to run your business – and if those systems have access to your data in any way, put them in your vendor list! Think: email, e-signature programs, IT and HR service providers, suppliers, consultants.
There are many free vendor list templates out there. Like most things, some are better than others. It’s important to pick and choose the appropriate components for your vendor list. Since we’re a cybersecurity company, we’re going to recommend having more than just a vendor’s contact information. You need to know if a vendor has security measures in place, and it’s a good idea to update your vendor list every time you complete a vendor review.
Here are the components to include in your vendor list template:
Let’s start with the basics. A vendor list should include the vendor’s name and contact information: mailing address, phone number, website, and client representative.
Since vendor services are not always obvious by looking at the name, be sure to include a brief description of the services provided.
You’ll need to note whether a vendor has access to your network, systems, or data. For example, your IT service provider most likely has full access to your network and systems, and remote connection privileges. If your company uses Google Workspace or Microsoft 365, either Google or Microsoft has access to your documents and emails.
Why include vendor access? This goes back to our previous point of security-related reasons to have a vendor list. If a vendor experiences a breach, it’s important to know whether your client data could be affected.
We typically recommend risk rating your vendors on a scale of low to high. How do you come up with the rating? Our clients undergo third-party vendor risk management each year, which consists of evaluating the security posture of their vendors. During that review process, it becomes clear which vendors are a higher security risk, either based on their lack of security measures, or their level of access to your systems and data.
For example, your IT service provider most likely has full access to your systems, and even after passing a background check, may still have a high security risk rating. Another vendor, like DocuSign, may have a medium security risk rating because it has access to organization and client data, but is password and MFA protected.
Being able to quickly see a vendor’s name and their security risk will help you make business decisions – if a vendor has a high security risk and there is some sort of incident (service or security-related), you may choose to search for a new vendor.
Depending on your industry, your clients and prospective clients may want to see your vendor list too, and seeing the security risk rating provides a clearer picture of your vendors and your company's attitude towards security.
If you are using any sort of cloud service, you need to use MFA (multi-factor authentication). It’s one of the best and easiest (and free) ways of protecting your systems and data.
Just as important as using MFA is the type of MFA. Note whether the type of MFA is email, SMS, mobile app or other. Any MFA is better than no MFA, but the best and most secure would be mobile app. How many times can we type MFA in one paragraph? How about one more: MFA.
In this column, note any other security measures worth mentioning. For example, programs like DocuSign and LastPass password manager are password protected (plus MFA of course). For your IT service provider or cleaning service, you may want to note that they passed a background check.
Do you have a contract with this vendor? For software programs like DocuSign, you may not have an actual signed contract, but usually there is a service agreement that can be found on their website. For your IT service provider? We hope you have a contract! Additionally, contract dates are a great way to monitor active and retired services from your vendors.
You may think of your vendor list as a list of currently used vendors,but it’s important to include former vendors as well. It will save you time down the road if you decide to look at alternate vendors, and it’s important to document when the relationship was terminated.
Here’s the list of headings to include in your vendor list. Just plug them into your favorite spreadsheet software. We won’t make you sign up with your email address - just copy/paste and get your vendor list going:
Description of Service
Description of Vendor Access (Network/Systems/Data)
Security Risk Rating
Type of MFA (Email/SMS/Mobile App/Other)
Other Security Measures
Contract? And Contract Details (ex. Start and End Dates)
Vendor Status (ex. Active, Inactive)
We go over this in detail in our article Third-Party Vendor Risk Management: A How-To Guide. But basically these are the steps to follow to start your third-party vendor risk management process:
You can learn more about each step in our How-To Guide.
You absolutely can perform the review of your third-party vendors yourself.
When we perform these reviews for clients, here’s how we approach it:
We’ll review each vendor one-by-one, and write up notes about what we found. If there’s anything that’s concerning in the vendor’s third party vendor report, then we talk to the vendor salesperson to ask when the issue will be addressed. If it’s serious enough, we would consider recommending that you look for a new vendor.
All that said, you might decide you’d rather outsource this. This is not meant to be a sales pitch – but this is a service we provide as part of our Virtual CISO program. Having a dedicated vendor risk management team ensures that standards are met, communication is consistent, and experts are able to provide clarity.
If your business is smaller and doesn't have the budget for an outside team, or if your business is larger and you want to handle this in-house, you can! But the important thing is to make sure a dedicated process is followed at least annually to ensure cybersecurity risks are minified.
What are fourth-party vendors? That’s right - they are your vendors’ vendors, and they can absolutely create risk into your business.
It’s important to know who your vendors do business with and whether any of your sensitive information is being shared/stored with them. Typically we recommend having verbiage in your vendor contracts that specifies the vendor agrees to review the security of THEIR vendors.
Vendor risk management best practices can be simplified down to this: make a thorough, security-focused vendor list, create and follow a third-party vendor risk management plan, create or use a specialized team, and don’t forget about your fourth-party vendors.
Following these best practices can help you better understand your risk, and can help you make decisions when choosing to renew or cancel a contract with a vendor.
As part of our Virtual CISO service, we help our clients with third-party vendor risk management, vetting IT service providers, and other important vendor decisions. We work with companies in highly regulated industries that need to comply with regulations like HIPAA, CMMC, NIST 800-171, SEC, NYDFS, IRS, and FFIEC.
Joyce, A. (2017). Target Settles 2013 Hacked Customer Data Breach For $18.5 Million. Retrieved from https://www.nbcnews.com/business/business-news/target-settles-2013-hacked-customer-data-breach-18-5-million-n764031