Vendor Risk Management (VRM) allows you to assess the risk that comes from going into business with a third party vendor. By evaluating several aspects of their security posture, you obtain data necessary to identify risks, which in turn allows you to address those risks either by making internal changes or by requesting changes to the vendor.
The ultimate goal of Vendor Risk Management or, in a broader sense, Third Party Risk Management (TPRM), is to give your organization the power to control risk in your supply chain.
If you haven’t formalized a TPRM program yet or it hasn’t reached your desired level of maturity, read on. Here are 3 reasons why implementing security risk assessment initiatives is more important than ever.
1. More third party vendors are touching corporate data
The shift to remote working after the covid19 pandemic hit and the acceleration of digital transformation elevated security risks. New levels of risks come from the use of personal devices, unsecure networks, and apps that support remote collaboration.
At the same time, we become more global and more third party vendors enter the network each month. These can range anywhere between a law firm, an outsourced software development company, a marketing agency, a finance consultant, etc.
While third parties are key allies for business growth and day-to-day operations, they can increase the risk surface for an organization. Think of being breached through a vendor or suffering a business continuity disruption...
If vendor risk management was always deemed as a strategic business initiative, now it’s a must for any organization who wants to outsource a key business function. These third parties get access to different layers of company data, so it’s imperative to have visibility and control over every data touchpoint.
2. Third party data breaches can be more damaging than ‘regular’ data breaches
Cybercriminals never rest and the new normal is no exception to the usual risks of credential theft, phishing, malware, business email compromise, etc. A cybersecurity and risk management strategy needs to go beyond the limits of the organization to cover the extended supply chain, making sure all types of vendors, especially those who handle critical data, are carefully monitored.
Some of the biggest and costliest data breaches in history were actually due to third party vendors and service providers, and their being compromised had a detrimental effect on customers. It can be as basic as a data leak or a credential theft that grants attackers access to your systems, and yet the effects can be devastating. While blaming the vendor seems like the obvious response, at the end of the day, it’s the lack of vendor risk management initiatives that leads to this point.
In the United States, the most newsworthy of these breaches were Target and Home Depot (read more here), with millions of customers and users affected, reputational damage for the businesses, and millions of dollars spent in recovery.
The moral of these vendor related breaches is that securing your own organization’s perimeter is not enough, as third party risk (and fourth party risk) can make you end up in the news for the wrong reasons.
What all these breaches have in common is that they could have been avoided, or at least could have had a lower impact, if those third-party relationships would have been better monitored.
3. Regulation is on the rise
In the early years of third party risk management, regulation was mainly focused on the banking industry, which faced a continuous pattern of cyber attacks and handled extremely sensitive information. With the rise of SaaS, data became more scattered than ever and regulation crept into other industries like insurance, energy and utilities. Now it’s not only about security but also privacy, with GDPR and CCPA taking the lead, while industry-specific regulations remain a standard.
What this push in regulation means for companies is a bigger need to ensure their third party ecosystem is as safe as their internal network.
When discussing the impact of NERC CIP-013, one of the latest regulations in the energy and utilities sector, we said that these frameworks provide organizations with more comfort in knowing that they are doing things better and understanding the elements of their supply chain.
Ultimately, compliance with an industry standard will force your organization to stay on top of critical questions like:
- Who are you doing business with?
- What critical or sensitive data are they accessing?
- Was the component you purchased manufactured up to standard?
- Was the service you hired executed up to standard?
- Has it been intercepted in some way?
How to get started with vendor risk management (VRM)
For all the reasons stated above, it’s highly likely that your organization is facing these three same factors:
- There are more vendors in the supply chain than last year
- The risk of a third party data breach keeps going up
- Regulation is forcing your company to take action
The solution is not to avoid going into business with a vendor, but to engage with vendors who show a robust security posture. To that end, a consistent third party risk management framework will help you assess the potential risk of this relationship and decide whether you want to engage in it or not.
If you do, you’ll also need the tools to continuously monitor their security stand long after the initial due diligence, with security ratings and risk scores that can be easily measured up against your organization’s risk appetite.
However, where companies really struggle is in actually starting and scaling a vendor risk management or third party risk management program. What tool can you use to get through this without having to add bodies to the process or wait for months to get budget approval?
Budgets are minimal, and even when you have it, you still need to build the business case, find people with expertise that could do this, and start executing a formal program that shows results in the short to medium term.
Companies’ natural inclination is to start doing this manually with the tools they have: emails and spreadsheets. You might read some blogs and strategy guides (like ours) and follow industry standards or questionnaires like SIG Core and Lite to gather all the information and assurances you need from your vendor.
Well, that doesn't scale. It’s extremely time-consuming and frustrating for both parts.
The issue for enterprises
Your organization will be constantly chasing vendors via email to get these gigantic spreadsheet questionnaires filled, and will end up with a lot of responses that can’t be easily translated into insights or decision drivers. What are you doing with that data? And how do your assessment requirements vary according to the type of vendor evaluated?
Sadly, this point-in-time assessment does not guarantee that your company will be safe for the rest of the duration of this third party relationship.
The issue for third party vendors
The vendor will be constantly asked by every new customer to answer the same questions and send the same security documents, such as SOC reports, ISO certifications, HiTrust, pentests, insurance documentation, and more. The manual approach does not allow for easy follow up on any findings. When there’s a new version of a security document available, it can be challenging to proactively make it available to all customers at once.
The good news
The goal of our ThirdPartyTrust platform is to simplify and scale this risk assessment process for both sides, eliminating the redundancies and inefficiencies. Through automation and customization of the evaluation requirements for enterprises, and the response process for vendors, we’ve built a collaborative network that facilitates information sharing in both directions.
Ready to secure your extended supply chain? Get started with vendor risk management today.
Sabrina Pagnotta
Sr. Content Strategist