vendor risk management

Vendor Risk Management 101: Minimizing Vendor Risk

Would You Hire a Vendor Who Tracks Mud in Your Home?

We’ve all been there before: you need a plumber. You hope that any plumber that you invite into your home respects your space. If they end up tracking mud through your house, or they leave your home in a worse condition, chances are you won’t want them back regardless of the quality of service they provide. Respect has been breached.

These same homeowners also manage IT systems and applications at work, and many practice far less diligence when granting access to their computing environments. Lack of diligence doesn’t always equate to a lack of commitment or concern for data protection. Rather, they may have a different set of precautions when it comes to acceptable behavior for entering a computing home versus their own home.

Setting Vendor Expectations

Current perceptions about appropriate vendor demands span a wide range, based mostly on what type of service that vendor offers. If a vendor requires privileged access to provide its service, the more stringent the demands can be.

For example, managed security providersfinancial service providers, or law firms are not only required to provide documentation confirming the credentials of persons who require access, but they are also expected to have audit-caliber evidence of compliance with certain standards.

In contrast to other types of vendors who demand access to less sensitive portions of the network (HVAC vendors, caterers, car services, travel services), there is a clear difference in the types of vendor risk and level-setting for authentication requirements. This type of vendor may introduce less obvious vendor risk. However, risk is calculated using likelihood as a determining factor. While today’s status quo is to demand less precautions of these vendors, and threat actors are increasingly targeting these weak links, the likelihood of risk naturally increases. Unfortunately, this increased form of vendor risk flies beneath most radars and is not adequately considered.

Vendor networks connecting to your corporate network (regardless of the type of access they require) represent a vector of attack. This avenue of compromise is often entrusted to the vendor to manage with little or no oversight to ensure adequate controls are in place. Even when vendors abide by all requirements while on a customer network, there is no guarantee that these requirements will be sustained once they disconnect.

Holding Vendors Accountable

The effort and expense a company spends on securing its environment is often undermined by the vendors it employs. That’s why vendor risk management is so important. It would seem to be outrageously frustrating for a company to invest a substantial amount of capital and effort in securing its systems, only to be forced to report to their consumers that a data breach had occurred regardless of who was to blame.

So how do we fix this erroneous perception? How do companies empower themselves to hold vendors to higher standards, regardless of what access the vendor has? Do we need more instances like the 2016 Target breach before it becomes acceptable to require assurance of a minimum standard of security from vendors?

Mitigating persistent connections to your network should be considered a given. The more security managers who accept this fact, and the more companies that require standards for vendors before doing business, the more difficult it will be for attackers to have access to your network.

Is it a guarantee that it will be secure? No. But we will have taken away one more avenue of attack, which in itself is a win.