You’ve likely heard your fair share of mortifying headlines involving IT vendor management. Many of the highly publicized breaches in the last several years occurred simply because the companies did not follow basic best practices for IT vendor risk management (VRM).
But our goal isn’t to point fingers. We simply want to help you avoid making those same mistakes! The following 12 tips and tricks will help you organize your IT vendor risk management best practices — and help you avoid being in the spotlight for embarrassing reasons.
12 Vendor Risk Management Best Practices
1. Know who your vendors are.
Many organizations don’t have a complete list of their vendors. This is a major issue. Because these third parties often have access to networks and valuable data, it's critical to take the cybersecurity posture of your vendors seriously and prevent any unwanted consequences
2. Know if your vendors have direct network access.
Even if your organization does have a list of critical vendors, it’s important to know what kinds of data your suppliers have access to and whether each vendor has direct access into your network.
For example, if your vendors have direct access to your assets, systems, and network, are you able to manage and control that access? You should follow the “principle of least privilege”—which means vendors should only be able to access the information they must have access to in order to perform their job duties.
3. Know how vendors are connected to you.
If you can recall the highly publicized Target breach of 2014, you’ll remember that Target had contracted out to Fazio HVAC to wirelessly monitor their refrigerated units. Target knew Fazio HVAC had a connection, but they didn’t know the extent of the connection—and they certainly didn’t realize someone could gain access to their entire corporate network through one HVAC company. It’s perfectly reasonable to provide third parties with access to your network, but you have to be able to limit their access to what they truly need. Frankly, anything else is negligent.
4. Do your due diligence on vendors that have access to your sensitive data.
Just because a third party doesn’t have direct access into your network doesn’t mean they can’t inadvertently (or purposely) harm your organization. Consider a law firm, for example. They may not have access to your network, but they could instead have access to your deal docs, intellectual property, merger and acquisition information, research and development, health care records, and more. If someone wanted that information and knew your law firm housed it, they wouldn’t have to breach your organization—they’d just need to breach your law firm.
There are thousands of questions you could ask your vendor about security. Can you determine which of them are the most important?
Aside from knowing which vendors have access to your “crown jewels,” you also need to analyze what constitutes “sensitive data” at your organization. For example, T-Mobile housed data with Experian, and when Experian was breached, it compromised the information of over 15 million T-Mobile customers.
5. Clearly spell out all security expectations in your vendor contracts.
Having an incident occur on a vendor network that results in the loss of your data is a frustrating process. But there is nothing worse (or more embarrassing) than digging through your contract with the vendor to figure out what your restitution is, only to realize you didn’t spell out your security expectations. If something like this happens, you’ll likely have no recourse whatsoever. So, it’s very important to protect yourself as best you can through your vendor contract from the get-go.
6. Don’t give free passes to anyone.
A lot of people assume that since they’ve known someone for a long time or because a company seems trustworthy, that they’re doing a good job. This is a huge mistake. Again, this goes back to “trust, but verify”—don’t put anyone’s cybersecurity on a pedestal for any reason.
7. Assess your vendors for their security.
Simply put, you should never trust everything your vendor is telling you. This is where on-site testing and other vendor risk management best practices come into play; you need to verify that your most sensitive data is constantly being watched over.
8. Ensure your vendors know to report an incident to you.
Many organizations will notify you of a security breach whether they’ve been contracted to or not, but some may decide to keep that information to themselves in a last-stop effort to keep their relationship with you. No matter what, you can’t assume that your vendor will come forward unless you’ve made this very clear to them.
9. Let your vendors know this is a priority for you.
My guess is one embarrassing headline might read, “They didn’t tell us it was important!” Or, “They never told us they cared about security, so how were we supposed to know?” The point is, you should assume your vendor doesn’t know that cybersecurity is of the utmost importance until you make it clear to them.
10. Don’t assume a small vendor can’t cause a big problem.
It’s critical to remember that the size of the vendor and the price of the contract aren’t all that important in terms of cybersecurity. The important thing is whether your vendors have access to your sensitive data or corporate network.
For example, domain name service (DNS) provider NS1 was hit with a distributed denial of service (DDOS) attack—and since they provide services to other companies, those companies were affected. NS1 isn’t a particularly large organization, but it still caused significant issues for those businesses that used them as a third party.
11. Ensure that you have the right technology in place for better vendor risk management.
To be able to execute consistently in vendor management, you need to use the best tools available. These technologies help you manage assets, remediate vulnerabilities, and respond quickly to issues of importance. For example:
- Bitsight Security Ratings: Bitsight specializes in continuous third-party monitoring that identifies, quantifies, and mitigates cyber risk without being intrusive or resource-heavy.
- IHS Markit: Markit is home to the “know your third party” platform that goes beyond just cyber risk—they look at legal and financial risk as well, providing a more holistic view.
Note: You can’t just purchase the tools and call the job done—you must ensure that your software solutions are implemented efficiently and monitored diligently. For example, patch management—making sure you have the latest fixes and that your software is up-to-date to remove any security vulnerabilities—is a critical part of software management. And while that sounds fairly simple, many companies do not patch vulnerabilities frequently enough, and are then breached because of their negligence.
12. Assess the third parties of your third parties.
You know your third parties are sharing data or network access with other third parties—but how do you get visibility in that situation? This is called fourth-party monitoring. The reason fourth-party monitoring is critical is because previously, it’s been outside of your view—making it very difficult to both understand and quantify.
While many organizations are still grappling with third-party vendor management, fourth-party monitoring is now gaining much more attention and regulatory scrutiny. Just because you ensure your third parties have good cybersecurity controls in place doesn’t mean your fourth-parties do—which could be an entry point for bad actors. So, whether it’s now or in the future, you’ll need to know how to manage cyber threats across multiple degrees of separation. Some companies today are already tracking the trail of their data all the way to eighth- and ninth-party monitoring!
Simply put, vendor risk management best practices must be a top priority. History is showing that neglect in this area leaves some companies in very bad situations—so you must have a defensible process in place for your vendor risk management. You should be able to confidently say that you manage third-party risk as best as you can and, even though bad things are likely to happen, prove that you’re doing what you can to cover your bases. If you can do this—starting by implementing these 12 IT vendor management best practices—you’ll likely find yourself in the headlines for all the right reasons.