LMG Security’s Madison Iler discusses how to structure a vendor risk management program (and where to spend your time) and shares common missteps that can reduce program effectiveness.
As evidenced by the recent far-reaching SolarWinds breach, supply chain attacks represent one of the top cybersecurity risks for organizations. In today’s digital world, business associates often handle your organization’s (and clients’) sensitive data, so it’s important to evaluate the risk they pose and ensure they have the proper cybersecurity controls. This article covers the why and how of evaluating the cybersecurity programs of your vendors and business associates to help keep your business safe and meet compliance goals.
A number of high-profile cybersecurity incidents in recent years have highlighted the risks that vendors can pose to an organization’s data and systems. Well-known companies such as Target, Netflix, and Ticketmaster have been affected and analyzed extensively in the media, but many smaller companies have also had vendor-related incidents and data breaches. All of these attacks pale alongside the recent SolarWinds attack that opened up back doors and exposed sensitive data at numerous government agencies and high-profile organizations.
These incidents can result in financial impact, operational disruptions, legal ramifications and reputational damage to your organization, even if the incident was due to a gap in your vendor’s protections or processes. These events drive home the importance of vendor risk management and security due diligence as a crucial element of every organization’s cybersecurity program.
While vendor risk management is well-established at many companies, especially in regulated industries like banking and health care, it is still new to many organizations.
A Risk-Based Approach
When getting started, it is important to stay focused on why you are doing this. The short answer is risk! You want to take steps to reduce risk related to your vendor relationships. Most organizations can think about risk in terms of sensitive data and the availability of key operational functions, although be sure to consider any risks that may be unique to your environment or mission.
To help stay focused on primary risks, I frequently advise companies not to overcomplicate it, especially as you are setting up your program. It is better to get something simple and consistent in place for your higher-risk vendors and then take steps to expand and build upon what you have started.
An Organizational Approach
One early question is deciding where this function will live in your organization. There is not a one-size-fits-all answer to this question, as it will require collaboration between various parties. Procurement is often involved from a tracking perspective, but actual vetting will need to include cybersecurity subject matter experts from the IT department and/or the security team.
The other key player who sometimes is overlooked is the organization’s primary point of contact (POC) with the vendor. This is the person or department who relies on the vendor’s service and may have regular interaction. Including this person or department in the vetting is important, as they will know what data the vendor stores or needs access to (and what they don’t need access to), the systems they use and the criticality of the services being provided. Coordination with this POC is essential to make vendor vetting meaningful.
Some companies may decide to have their internal POCs for each vendor track the vetting process, but I recommend some centralized oversight (i.e., risk management, procurement, legal, security) to ensure individual departments are keeping up with requirements and to provide a level of consistency and visibility across departments. The visibility component is important to allow centralized decision-making on specific risks and whether or not they are acceptable to the organization as a whole.
In line with staying focused on risk, an early step of your program will be vendor categorization. The goal here is to put your vendors in buckets based on the level of risk they pose to your organization.
This effort may require input from several parties internally. The internal role who works directly with the vendor will best know what data they access or store and whether it is sensitive or not. Your IT department might need to weigh in on how they access systems and data or how data is transferred to/from the vendor. Don’t assume your procurement department has this information – internal coordination has to be built into the categorization process.
Most organizations will consider two primary sources of risk: sensitive data and criticality of services:
- Does the vendor have access to your organization’s sensitive data? Consider both data stored on their systems or data they access on your systems. We usually think of customer data first, but be sure to factor in employee data (payroll, employee wellness program, other benefits).
- Is the vendor’s service critical to your business operations? Consider whether extended vendor downtime caused by a cybersecurity incident or other outage would have a substantial impact on your operations. Also consider whether the vendor’s service could be easily/quickly replaced.
- Many vendors will not fall into either category – that’s OK! That means you have considered risk related to this vendor’s services and determined it is a low-risk relationship.
Based on these criteria, group your vendors into risk-based buckets. You might go with “critical, moderate and low” or keep it even simpler, with “high and low.”
Try not to get stuck on the categorization step. I’ve seen organizations spend a lot of time here trying to devise a large number of buckets or trying to get their criteria just right, but that may not be a good use of time if it delays you from moving on to the actual vetting.
The purpose of the categorization step is to help you decide how and where to spend your due diligence time and effort. Categorizing alone doesn’t get you anywhere as far as managing risk. Keeping in line with a risk-based approach, if you can quickly identify at least some of your higher-risk vendors, go ahead and start the vetting process with them. You can always circle back to tweak your categorization later if needed.
Start Your Vetting
Once you have your categories, start with the higher-risk bucket and consider what you need to know about these vendors to assess risk to your data and operations. It may not be a one-size-fits-all question, which is why it is important to have internal collaboration to make sure you are asking the right questions.
Here are some examples of what you might want to know about certain types of vendors. Notice this is not just about the vendor’s own security controls, but also about how your organization is managing vendor access and data transfers.
Example: A vendor’s employees access sensitive information on your systems.
- Think about how they screen employees, any contract specifications restricting or prohibiting data downloads onto their systems, and how well or quickly do they keep you informed and eliminate access when an employee leaves the organization or changes positions. Most of these topics are related to your processes for working with this vendor, rather than specific security controls on their end.
- Also coordinate with your own IT department on the strength of access management processes and authentication methods. Is access restricted to only what is needed for the vendor’s role? Are strong password requirements enforced and multifactor authentication required where possible? Is logging in place to capture records of system and data access?
Example: The vendor houses your sensitive data on their systems.
- Ask a lot about the overall security protections of their systems. This could include evidence of regular technical security testing (i.e., penetration tests, web app security assessments), questions around security basics like strong authentication, role-based access, encryption and audit logging and monitoring. This could also include evidence of a third-party or self-assessment. Detection capabilities, incident response preparedness and timely breach notification may also be important to you, especially for a regulated industry such as health care.
- In this scenario, leveraging a security controls questionnaire for the vendor to complete can be far more efficient than devising your own questions. Look for free versions online or subscribe to a paid service.
- Internally, evaluate the security of how data is transferred to and from this vendor.
Example: Vendor risk is related to potential service disruptions.
- Inquire about general security controls to prevent a cybersecurity incident. Also ask about business continuity plans, backups, incident response preparedness and disaster recovery planning.
- Internally, consider business continuity planning in the event the vendor’s service is disrupted. The affected department(s) should think though service disruption scenarios and plan continuity strategies. If applicable, consider identifying alternate service providers or whether some services could be handled in-house temporarily to support continuity of operations.
All high-risk vendors – Ask for evidence of cybersecurity insurance not just for financial damages, but to support the vendor with response and recovery in the event of an incident.
Evaluate the Information Collected
What do you with the info you receive from the vendor and internal resources?
Unfortunately, sometimes companies who are meticulous about requesting due diligence information from vendors may not have effective or consistent processes in place to review the material and follow up with questions or concerns. Why would this happen?
In some cases, the role or department charged with conducting due diligence is not a subject matter expert in security issues. Consider these examples:
- Someone in the contracts or procurement department sends a vendor a questionnaire, and it is returned with Yes/No answers. Does that person know if the vendor’s answers are what you want to see?
- The vendor is asked to provide their incident response and business continuity plans for review. Who internally will review these documents? If that task falls to procurement or to the vendor’s primary POC, is that person familiar with the expected elements of incident response and business continuity plans? How will they know if the plans meet your organization’s needs?
In other cases, collecting the information is treated as the goal of the exercise. If the vendor provides the requested questionnaire responses or documentation within your requested timeline, that is counted as successful due diligence, even if the responses actually contain information that may pose risks to your organization.
Ensure your organization has a process for reviewing the responses and that those tasked with the review have enough subject matter expertise to make the review meaningful.
Tracking and Follow-Up
After reviewing the provided information, follow up with the vendor for any needed clarifications or to inquire further about areas of concern. If you are told they have certain security improvements planned, make a note to check in again at regular intervals to inquire about progress and make sure things are moving forward. Let vendors know you are expecting to see progress in these areas and that security is a consideration in deciding whether or not to continue the vendor relationship.
Share the review results and any concerns with appropriate parties internally to provide visibility of risks and allow for decision-making regarding specific vendors. For some organizations, this may be a security management or risk management committee. For others, it may be the executive team or board. Since these vendor relationships can introduce risk to the organization, risk decisions need to be made at an enterprise level, not solely within the department using the vendor.
Once you have identified and reviewed your most critical vendors, set a cadence for regular check-ins and updates. Additionally, incorporate security vetting into your selection of new vendors, based on the same criteria and risk-based approach you are applying to existing relationships.
Consistent vetting and review of vendor risks to your organization can help you identify steps to reduce risk and improve your overall security posture.