It has long been understood that IT risk is a business risk. The past few years have highlighted the importance of risk management in business operations.
If your IT staff falls behind on patching systems, fails to closely monitor hardware end-of-life, or fails to implement a plethora of security controls, this risk will eventually become a problem for the C suite. .
IT vendors and vendors can bring a particular type of risk to your organization and Vendor Risk Management takes the concept of risk management one step further.
IT risk from your third-party vendors can quickly become an organizational issue. We don’t have to look far back to find glaring recent examples of this problem.
Vulnerabilities in Microsoft Exchange Server, SolarWinds, Kaseya and recently your vendors may have been impacted by the Log4j vulnerability around Christmas.
It’s not a new concept, but it’s been gaining attention recently. Do you remember the Target breach nine years ago?
While the root cause is arguably poor network segmentation, the reason Target was hacked was due to an HVAC company.
The fundamental concept is that although we can outsource the work of a process, we can never truly outsource the responsibility and impact of a process. It is human nature to confuse responsibility with blame.
When assessing the risks to your organization, please resist the urge to say, “If we got hacked because of a vendor, it wouldn’t be our fault. We don’t have to worry about that.
Will your customers see it like this after their personal information is published on the dark web?
Suppliers will bring risks in this increasingly interconnected world. There are several things we can do to limit the likelihood and impact of a horrific event.
First, we can follow a due diligence process when onboarding new suppliers and when renewing the contract.
Categorize your vendors based on how much you rely on them for a critical business process and whether they process, store, or transmit any of your sensitive data.
If these vendors exceed a risk threshold, you can take additional steps such as sending them a vendor questionnaire to request evidence of how they are protecting your interests.
A member of your team can review their answers to determine if their statements make sense and meet your standards.
Your organization has probably received these supplier risk questionnaires. If you purchase cybersecurity insurance, you must have completed one of these questionnaires.
The questions are pretty standard and you should have thought of them already. Do you have an MFA? Do you have offsite backups?
Do you have modern endpoint protection? Do you have alerts and monitoring of abnormal events?
They try to assess if you have a security program. These are the types of questions you should ask your high-risk vendors because their problems can quickly become your problems.
Second, there are scanning tools and services you can use to take a look at their outdoor presence. Shodan and BitSight are two that come to mind.
While this external view doesn’t paint the full picture, it can give you additional insight into the health of another organization’s security program.
The third initiative to highlight is if you are using a vendor and their legacy software will not allow you to fix critical vulnerabilities. Maybe it’s time to put pressure on that provider to fix their problems or start looking for another provider that can do it.
Brandon Blankenship is a cybersecurity consultant at ProCircular and a board member of SecMidwest, a Cedar Rapids-based nonprofit focused on cybersecurity education. Visit SecMidwest.org for more information on attending the organization’s free monthly meetings.