You’ve likely heard your fair share of mortifying headlines involving IT vendor management. Many of the highly publicized breaches in the last several years occurred simply because the companies did not follow basic best practices for IT vendor risk management (VRM).
But our goal isn’t to point fingers. We simply want to help you avoid making those same mistakes! The following 12 tips and tricks will help you organize your IT vendor risk management best practices — and help you avoid being in the spotlight for embarrassing reasons.
Many organizations don’t have a complete list of their vendors. This is a major issue. Because these third parties often have access to networks and valuable data, it's critical to take the cybersecurity posture of your vendors seriously and prevent any unwanted consequences
Even if your organization does have a list of critical vendors, it’s important to know what kinds of data your suppliers have access to and whether each vendor has direct access into your network.
For example, if your vendors have direct access to your assets, systems, and network, are you able to manage and control that access? You should follow the “principle of least privilege”—which means vendors should only be able to access the information they must have access to in order to perform their job duties.
If you can recall the highly publicized Target breach of 2014, you’ll remember that Target had contracted out to Fazio HVAC to wirelessly monitor their refrigerated units. Target knew Fazio HVAC had a connection, but they didn’t know the extent of the connection—and they certainly didn’t realize someone could gain access to their entire corporate network through one HVAC company. It’s perfectly reasonable to provide third parties with access to your network, but you have to be able to limit their access to what they truly need. Frankly, anything else is negligent.
Just because a third party doesn’t have direct access into your network doesn’t mean they can’t inadvertently (or purposely) harm your organization. Consider a law firm, for example. They may not have access to your network, but they could instead have access to your deal docs, intellectual property, merger and acquisition information, research and development, health care records, and more. If someone wanted that information and knew your law firm housed it, they wouldn’t have to breach your organization—they’d just need to breach your law firm.
Aside from knowing which vendors have access to your “crown jewels,” you also need to analyze what constitutes “sensitive data” at your organization. For example, T-Mobile housed data with Experian, and when Experian was breached, it compromised the information of over 15 million T-Mobile customers.
Having an indecent occur on a vendor network that results in the loss of your data is a frustrating process. But there is nothing worse (or more embarrassing) than digging through your contract with the vendor to figure out what your restitution is, only to realize you didn’t spell out your security expectations. If something like this happens, you’ll likely have no recourse whatsoever. So, it’s very important to protect yourself as best you can through your vendor contract from the get-go.
A lot of people assume that since they’ve known someone for a long time or because a company seems trustworthy, that they’re doing a good job. This is a huge mistake. Again, this goes back to “trust, but verify”—don’t put anyone’s cybersecurity on a pedestal for any reason.
Simply put, you should never trust everything your vendor is telling you. This is where on-site testing and other vendor risk management best practices come into play; you need to verify that your most sensitive data is constantly being watched over.
Many organizations will notify you of a security breach whether they’ve been contracted to or not, but some may decide to keep that information to themselves in a last-stop effort to keep their relationship with you. No matter what, you can’t assume that your vendor will come forward unless you’ve made this very clear to them.
My guess is one embarrassing headline might read, “They didn’t tell us it was important!” Or, “They never told us they cared about security, so how were we supposed to know?” The point is, you should assume your vendor doesn’t know that cybersecurity is of the utmost importance until you make it clear to them.
It’s critical to remember that the size of the vendor and the price of the contract aren’t all that important in terms of cybersecurity. The important thing is whether your vendors have access to your sensitive data or corporate network.
For example, domain name service (DNS) provider NS1 was hit with a distributed denial of service (DDOS) attack—and since they provide services to other companies, those companies were affected. NS1 isn’t a particularly large organization, but it still caused significant issues for those businesses that used them as a third party.
To be able to execute consistently in vendor management, you need to use the best tools available. These technologies help you manage assets, remediate vulnerabilities, and respond quickly to issues of importance. For example:
Note: You can’t just purchase the tools and call the job done—you must ensure that your software solutions are implemented efficiently and monitored diligently. For example, patch management—making sure you have the latest fixes and that your software is up-to-date to remove any security vulnerabilities—is a critical part of software management. And while that sounds fairly simple, many companies do not patch vulnerabilities frequently enough, and are then breached because of their negligence.
You know your third parties are sharing data or network access with other third parties—but how do you get visibility in that situation? This is called fourth-party monitoring. The reason fourth-party monitoring is critical is because previously, it’s been outside of your view—making it very difficult to both understand and quantify.
While many organizations are still grappling with third-party vendor management, fourth-party monitoring is now gaining much more attention and regulatory scrutiny. Just because you ensure your third parties have good cybersecurity controls in place doesn’t mean your fourth-parties do—which could be an entry point for bad actors. So, whether it’s now or in the future, you’ll need to know how to manage cyber threats across multiple degrees of separation. Some companies today are already tracking the trail of their data all the way to eighth- and ninth-party monitoring!
Simply put, vendor risk management best practices must be a top priority. History is showing that neglect in this area leaves some companies in very bad situations—so you must have a defensible process in place for your vendor risk management. You should be able to confidently say that you manage third-party risk as best as you can and, even though bad things are likely to happen, prove that you’re doing what you can to cover your bases. If you can do this—starting by implementing these 12 IT vendor management best practices—you’ll likely find yourself in the headlines for all the right reasons.
