Intelligence in CISO's Corner
Getty Images 691171106

CISOs, Are You Doing Enough to Evaluate and Address Your Vendor Risk?

Vendor risk management has become increasingly more important as companies outsource responsibilities and share sensitive data with third parties. Companies should take proper steps to perform appropriate initial and ongoing due diligence to ensure data is protected. Are you doing enough to ensure vendor compliance and prevent breaches due to third parties?

What is Vendor Risk Management?

Vendor risk management is the process of ensuring that the use of service providers and IT suppliers does not create an unacceptable potential for business disruption or a negative impact on business performance. The risk management process will include identifying, classifying, assessing, monitoring, and decommissioning third parties.

A vendor service provider (“third party”) are entities that offer platforms, software, and services to other companies. They fulfill necessary business functions and therefore need to be carefully managed to ensure that the data they manage is not exposed to unauthorized third parties. Companies should assess vendors during an initial due diligence and perform ongoing monitoring for existing vendors.

Tips for CISOs to Assess New Vendors

Before procuring a new vendor, companies should perform an initial due diligence to ensure the vendor has proper security controls in place to protect any data that may be shared. The following steps should be taken:

Start by assigning a risk ranking to the vendor (i.e. high, medium, low). The ranking should be determined based on features, cost, security, controls. Once a ranking is assigned, expectations around the requirements can be controlled (i.e. SLAs, criticality).

Perform a vendor risk assessment. If the vendor maintains a SOC 2, ISO 27001, or related compliance report, request the report and review the findings. Companies should review the report to ensure that controls are in place and operating effectively around the availability of services and integrity of data. If the vendor does not maintain a compliance report, request a security questionnaire to be filled out to gather details on the controls in place.

Review the vendor contract to ensure security requirements are included. Contracts should specify their internal security commitments, including their policies and procedures, such as incident response, system hardening (penetration testing, assessments, etc.) and data privacy, protection and recovery.

The initial due diligence process is considered complete once the vendor is assessed to have the appropriate safeguards in place to protect data being shared with the vendor.

Tips for CISOs to Monitor Existing Vendors

Continuous monitoring should be performed for all existing vendors on an ongoing basis. The frequency of such ongoing reviews should be determined by the assigned risk rating. The risk rating should be assigned based on the level of dependency, risk of disruption, and level of data accessed by the vendor.

For example, companies may use the following risk rating definitions:

High: Daily operations significantly depend on the service and service failure would seriously disrupt business processes. Vendor has access, stores, transmits or processes critical/ sensitive data.

Medium: Daily operations regularly use the service but do not depend on it and service failure would impair but not seriously disrupt business processes. Vendor may store transmit, or process internal or public data.

Low: Operations regularly use the service but unevenly (i.e., not every day or not every user) and service failure would present challenges to operations but would not disrupt business processes.

Based on the risk ratings, reviews will occur on set frequencies. Examples of frequencies could include:

High vendors are assessed annually or when major changes to the contract occur.

Medium vendors are assessed bi-annually or when major changes to the contract occur.

Low vendors are assessed as needed.

Importance of Vendor Risk Management for the CISO

Vendor risk management has become a process at the forefront of businesses and can help to reduce risks related to third party relationships. Possible risks include the following:

  • Third-party data breaches: Vendor has access to sensitive data and a breach occurs.
  • Compliance risk: Vendor fails to comply with laws and regulations.
  • Operational risk: Vendor experiences operational disruptions that affect the company.
  • Financial risk: Vendor faces financial issues that affect them from performing services.

The Bottom Line

Third-party breaches have been significantly more common and can include ransomware attacks that impact a company indirectly, due to the vendor being locked down. Or worse, if directly connected, a ransomware attack could encrypt data on the main company. Recent third-party data breaches in 2023 included Dollar Tree, T-Mobile, Okta, MOVEit, Chick-fil-A, and more. Now more than ever, companies should be prioritizing vendor risk management to reduce the risk of data breaches.

Companies should take proactive steps to ensure formalized controls and safeguards exist to prevent third-party risks.

Sign up to get Cyber Intelligence Weekly in your inbox.