Third-party vendor risk management, or the process of reviewing your third-party vendors, is getting more and more important. Believe it or not, you can blame Target! I’m sure you remember the Target breach which ended with the CEO being fired, the CIO resigning and 40 million customer accounts being exposed. Not to mention the millions of dollars involved with mitigating the issue. What a lot of people don’t realize is that the Target breach started with their HVAC vendor – the HVAC vendor was targeted by a phishing email. Hackers then used stolen credentials to access Target’s network. The HVAC vendor had access so they could adjust thermostats.
You need to make sure your third-party vendors are doing a good job handling your sensitive information. But what is the best way to do that?
In this article you will learn:
- What are third-party vendors
- Why third-party vendor risk management is critical
- How to identify high-risk vendors
- That reviewing fourth-party vendors is important too
- How we can help you with third-party vendor risk management
What are third-party vendors?
An organization outside of your company that provides a service or product with access to your sensitive data, finances, or network is a third-party vendor. This could include payroll service providers, IT providers, electronic billing providers, suppliers, manufacturers, outsourced consultants and more.
If a vendor has access to your company’s sensitive information (client data, credit card numbers, etc) and their network isn’t secure, then your company is at risk.
Third-party vendor security audits are critical
We mentioned the Target breach from 2013, but they haven’t been the only ones who’ve experienced a third party breach. According to a 2018 study by Opus and Ponemon which involved more than 1000 CISOs across the US and UK, 59% of companies said they have experienced a data breach caused by one of their vendors.
IBM Security reported in 2019 that breaches involving a third party often increases the total cost of a data breach by $370,000.
In 2014, hackers used a vendor’s credentials to access Home Depot’s computer network to install malware. Hackers collected information from 56 million credit and debit cards and 53 million email addresses. The breach cost $62 million.
You need to take the time to audit your vendors because if they don’t have good security, you don’t have good security.
How to identify high-risk vendors
The procedure for reviewing your third-party vendors is actually somewhat simple, but the information involved is often complex. You’ll need someone with cybersecurity and technical knowledge to be able to best evaluate the vendors’ security.
The ultimate goal is to make sure your vendors have policies in place to protect your data. For the larger vendors, you also want to make sure they’re having their policies audited regularly. Part of that is identifying any high-risk vendors, either working with them to mitigate the issues or deciding to terminate the contract and finding a replacement vendor.
Below are the steps you should take to start the third-party vendor risk management process:
Step 1: List your vendors
Let’s start with the basics. If you have a complete Information Security Policy, you should have this step completed already. We have a free InfoSec Policy template to get you started!
One of the sections we include in InfoSec Policies for clients is all about third-party vendors. We include the following information:
- List the names of vendors with the appropriate contact person
- Designate which vendors have access to sensitive information, and what kind of information
- Describe the audit process for those with access to sensitive information
Step 2: Find or request the information
After making a list of your vendors and determining who is handling your sensitive data, the next step is to request certain information from those vendors. We break vendor reviews into two buckets: Large vs. Small
- Larger companies (like Microsoft, Google, Schwab, etc) – the critical document to review is a “SOC2 Audit Report.” Large companies pay cybersecurity auditors to come in and audit their cybersecurity program. There are two ways to get this:
- First, search their website for a security or privacy section. Many large companies (like Google and Microsoft) post this information on their website.
- If it’s not posted, email your sales or customer service contact and ask for copies of their SOC2 audit reports or penetration testing reports.
- IMPORTANT! Don’t assume that just because they’re big that they’re ok! We have found some surprising issues with a large cloud hosting vendor that led to some interesting discussions.
- Small companies (like an IT company or other outsourced service): ask for copies of their information security policies and training. If they don’t have a security policy that isn’t necessarily a bad thing, but then you’ll need help from a cybersecurity expert to compile the right questions to ask. We have a standard survey that we send to vendors who fall into that category that we use with our clients.
Sample questions for companies without audit reports or information security policies (this is not an exhaustive list by any means):
- Does your company have a security program?
- Who is responsible for managing your information and privacy security?
- How are your employees trained on cybersecurity?
- Do you have a business continuity plan?
- What data center providers do you use?
- Do you have password security standards?
- Do you use a VPN?
- Do you backup your data?
- Do you perform background checks on new employees?
Screenshot from Microsoft’s Audit Report page: https://servicetrust.microsoft.com/ViewPage/MSComplianceGuideV3
Step 3: Review documents and follow up with questions
This will most likely be the most time-consuming part of this process. You need to carefully review the documents, audits and reports from your vendors. Follow up with questions as needed and be sure to document the questions and answers.
Depending on your organization, this is definitely when you might need some help from a cybersecurity expert to understand how the reports and answers make sense together.
Pro tip: for the SOC 2 audit reports, focus on the “Findings” section, which is usually towards the back. That’s where you’ll find any concerns that the auditors raised.
Step 4: Respond to security risks
Now that you’ve made a list of vendors, compiled and reviewed their reports and answers, it’s time to decide whether the vendors are high-risk or not. Hopefully your vendors passed with flying colors or you at least didn’t find anything concerning or questionable.
Depending on the situation, you may need to make changes to how they access data (if they need to access your data at all!) to lower your risk. Grant only the access they need to perform their responsibilities. You’ll have to modify your contract as needed.
Or you may decide to end your relationship with that vendor if they won’t or can’t make the changes you require.
In most cases, if you’re a smaller company working with a large vendor, you won’t have a lot of options. However, you should still take the time to contact your sales or support contact, and ask them when the situation you identified will be resolved. You’ll be doing them a favor — nothing makes companies fix problems sooner than complaining customers!
Step 5: Schedule security reviews for the following year
The last step is pretty easy! Schedule your vendor security reviews for the following year. It might make sense to follow the calendar year and plan on reviewing all vendors in January. Do what works for your company, but be sure to do it!
How often should you review your third-party vendors? Annual reviews make the most sense, unless something changes in your business, their business or the scope of your relationship. Any big change should trigger a re-review.
What are fourth-party vendors?
Yes, there is another layer to this! Your third-party vendors probably use vendors too! You may have no contact with these companies at all, but it’s important to know who your vendors work with, whether your sensitive information is being shared/stored with them and to understand the risk involved. This is usually enforced by contracts in which your vendor agrees that it’s their job to also review the security of THEIR vendors.
Third-party vendor risk management: Critical yet difficult
We’ve tried to give you a glimpse into how third-party vendor risk management works. Depending on the number of vendors, the process can be quite time-consuming. Bigger companies may have reports and audits for you to review, but you still need to understand the information. And smaller companies without readily-accessible reports and policies? Building a questionnaire takes time and you still have to review the information!
We don’t say this to crush your dreams of taking on vendor risk management solo – but we want to be clear that your third-party vendors could be putting you at risk so it’s important to do this right. Hiring outside help to handle these reviews might make the best sense.
How Adelia Risk can help
We help clients from various industries of various sizes with vendor risk management. Our proprietary questionnaire assists us with the security reviews. We know what to look for and we know the right questions to ask.
If you need help with third-party vendor risk management, contact us today.