Third-party vendor risk management, or the process of reviewing your third-party vendors, is getting more and more important. Believe it or not, you can blame Target! I’m sure you remember the Target breach which ended with the CEO being fired, the CIO resigning and 40 million customer accounts being exposed. Not to mention the millions of dollars involved with mitigating the issue. What a lot of people don’t realize is that the Target breach started with their HVAC vendor - the HVAC vendor was targeted by a phishing email. Hackers then used stolen credentials to access Target’s network. The HVAC vendor had access so they could adjust thermostats.
You need to make sure your third-party vendors are doing a good job handling your sensitive information. But what is the best way to do that?
In this article you will learn:
An organization outside of your company that provides a service or product with access to your sensitive data, finances, or network is a third-party vendor. This could include payroll service providers, IT providers, electronic billing providers, suppliers, manufacturers, outsourced consultants and more.
If a vendor has access to your company’s sensitive information (client data, credit card numbers, etc) and their network isn’t secure, then your company is at risk.
We mentioned the Target breach from 2013, but they haven’t been the only ones who’ve experienced a third party breach. According to a 2018 study by Opus and Ponemon which involved more than 1000 CISOs across the US and UK, 59% of companies said they have experienced a data breach caused by one of their vendors.
IBM Security reported in 2019 that breaches involving a third party often increases the total cost of a data breach by $370,000.
In 2014, hackers used a vendor’s credentials to access Home Depot’s computer network to install malware. Hackers collected information from 56 million credit and debit cards and 53 million email addresses. The breach cost $62 million.
You need to take the time to audit your vendors because if they don’t have good security, you don’t have good security.
The procedure for reviewing your third-party vendors is actually somewhat simple, but the information involved is often complex. You’ll need someone with cybersecurity and technical knowledge to be able to best evaluate the vendors’ security.
The ultimate goal is to make sure your vendors have policies in place to protect your data. For the larger vendors, you also want to make sure they’re having their policies audited regularly. Part of that is identifying any high-risk vendors, either working with them to mitigate the issues or deciding to terminate the contract and finding a replacement vendor.
Below are the steps you should take to start the third-party vendor risk management process:
Let’s start with the basics. If you have a complete Information Security Policy, you should have this step completed already. We have a free InfoSec Policy template to get you started!
One of the sections we include in InfoSec Policies for clients is all about third-party vendors. We include the following information:
After making a list of your vendors and determining who is handling your sensitive data, the next step is to request certain information from those vendors. We break vendor reviews into two buckets: Large vs. Small
Screenshot from Microsoft's Audit Report page: https://servicetrust.microsoft.com/ViewPage/MSComplianceGuideV3
This will most likely be the most time-consuming part of this process. You need to carefully review the documents, audits and reports from your vendors. Follow up with questions as needed and be sure to document the questions and answers.
Depending on your organization, this is definitely when you might need some help from a cybersecurity expert to understand how the reports and answers make sense together.
Pro tip: for the SOC 2 audit reports, focus on the “Findings” section, which is usually towards the back. That’s where you’ll find any concerns that the auditors raised.
Now that you’ve made a list of vendors, compiled and reviewed their reports and answers, it’s time to decide whether the vendors are high-risk or not. Hopefully your vendors passed with flying colors or you at least didn’t find anything concerning or questionable.
Depending on the situation, you may need to make changes to how they access data (if they need to access your data at all!) to lower your risk. Grant only the access they need to perform their responsibilities. You’ll have to modify your contract as needed.
Or you may decide to end your relationship with that vendor if they won’t or can’t make the changes you require.
In most cases, if you’re a smaller company working with a large vendor, you won’t have a lot of options. However, you should still take the time to contact your sales or support contact, and ask them when the situation you identified will be resolved. You’ll be doing them a favor -- nothing makes companies fix problems sooner than complaining customers!
The last step is pretty easy! Schedule your vendor security reviews for the following year. It might make sense to follow the calendar year and plan on reviewing all vendors in January. Do what works for your company, but be sure to do it!
How often should you review your third-party vendors? Annual reviews make the most sense, unless something changes in your business, their business or the scope of your relationship. Any big change should trigger a re-review.
Yes, there is another layer to this! Your third-party vendors probably use vendors too! You may have no contact with these companies at all, but it’s important to know who your vendors work with, whether your sensitive information is being shared/stored with them and to understand the risk involved. This is usually enforced by contracts in which your vendor agrees that it’s their job to also review the security of THEIR vendors.
We’ve tried to give you a glimpse into how third-party vendor risk management works. Depending on the number of vendors, the process can be quite time-consuming. Bigger companies may have reports and audits for you to review, but you still need to understand the information. And smaller companies without readily-accessible reports and policies? Building a questionnaire takes time and you still have to review the information!
We don’t say this to crush your dreams of taking on vendor risk management solo - but we want to be clear that your third-party vendors could be putting you at risk so it’s important to do this right. Hiring outside help to handle these reviews might make the best sense.
We help clients from various industries of various sizes with vendor risk management. Our proprietary questionnaire assists us with the security reviews. We know what to look for and we know the right questions to ask.
If you need help with third-party vendor risk management, contact us today.