Why Your Business Needs a Vendor Management Policy
Jake Olcott | March 3, 2016
This post was updated on September 14, 2020.
A vendor management policy is a best practice for organizations seeking to tier their vendors based on risk. Such a policy identifies vendors which pose the greatest cybersecurity risk to your organization and then outlines the controls the company will implement to lessen this risk. These controls might include rewriting all contracts to ensure vendors meet a certain level of security, or implementing an annual inspection.
Unfortunately, many organizations overlook the importance of a vendor management policy, instead focusing their attention on their own internal security posture. However, there are several reasons why you should consider implementing a vendor management policy today.
1. You could get sued
There are a growing number of legal requirements in a variety of sectors — from finance, to retail, to healthcare, to energy — on how companies should manage their third-, fourth-, and nth-party risk.
Regulators have recognized that data breaches (See SolarWinds breach) through third and fourth parties can present a significant and sometimes catastrophic consequence to an organization — and have created various legal requirements in an effort to ensure organizations manage their supply chain and partner cyber risks more carefully.
Without a vendor management policy, if you’re in a regulated industry you could be out of compliance (and in a lot of trouble).
2. You’re a target
An organization should be concerned about third and fourth parties that have either access to their most sensitive data or direct access into their corporate network.
If your vendor management policy includes working with an extended business ecosystem of vendors, sub-contractors, and partners, you’re naturally creating more targets that hackers and criminals can exploit. This is becoming more common, because organizations are outsourcing to vendors more frequently in an effort to either save costs or capitalize on vendor expertise.
The more vendors you have, the larger risk landscape you create. This is a well-known risk — but too many companies don’t give it enough thought.
3. You have vulnerabilities you don’t even know about
Not all vendor risks are easily understandable. Many organizations today have entered into business relationships with third parties without fully understanding the risk to their data. And what’s more, the first party may not have set requirements in their vendor management policies for how their vendors should secure their data.
A lot of organizations struggle with even knowing who has access to their sensitive data, how much access they have, where it resides, and more. These “unknowns” give plenty of folks a valid reason for concern.
4. You might face some severe consequences
To see how very real the consequences of not managing vendor policy are, simply read some of the latest cybersecurity headlines. Today, 59% of data breaches originate with third-party vendors.
The truth is, if you don’t have a vendor management policy in place today, your company is being negligent. Not having a policy in place means that there’s a good chance your organization’s sensitive data may be handled by someone who shouldn’t have access to it. This puts the health of your entire company on the line.
You might be feeling a little overwhelmed — but we are here to help. Below, we’ve outlined four tips that will get you started with your vendor management policy right away.
1. Build a team
It’s critical to have people from many different positions and perspectives on your vendor management policy team. Aside from upper management, you want to have someone from acquisitions and procurement, a lawyer, an IT security person, and someone representing the business unit, so you can understand the data. This team will be charged with taking on the next step, which is to gather a list of vendors and determine which of them are critical.
2. Gather a list of your vendors
Keep in mind that the definition of a vendor isn’t as narrow as you might think. This all-encompassing list should include every third-party, contractor, or associate your organization does business with or works in partnership with. Having a vague idea of which companies might make the list isn’t enough — you need to know exactly who these vendors are.
Once the list is compiled, you’ll begin the critical assessment portion of your vendor management policy. You’ll need to determine which vendors:
Have access to your sensitive and important data
Have direct access to your corporate network
Once you’ve sorted out these vendors, they should be categorized as “critical.” These are the vendors you’ll want to spend the most time learning about and monitoring — because if one of these vendors is compromised in any way, and the malicious actor finds a backdoor into your organization, the destruction to your data or network could be catastrophic.
3. Keep vendor management in mind during the diligence process
At this point, you have already identified vendors you’re working with and whether or not they’re categorized as critical. But what about new vendors?
A robust vendor management policy takes into account the vendors you’re looking to onboard, and it helps you determine whether or not you should do business with them. This is based on many things, but it should definitely take into consideration their cybersecurity standings.
At BitSight, we offer time-limited access to our security ratings to help you determine whether a vendor relationship is worth pursuing.
4. Don’t forget to continuously monitor
Vendor management policies don't end after the diligence process. Traditional vendor risk assessment methods are subjective, unverifiable, and unactionable. Offering a glance at their cybersecurity one day of the year isn’t enough. You need a way to continue to monitor and verify if a third party’s security posture is consistently strong, and you need to be alerted to new risks and vulnerabilities in their network.
Protect your business
Building a vendor management policy will give you confidence that you and your vendors are meeting the commonly expected standards of care.
Continuously monitoring and working with your vendors to ensure they’re meeting your cybersecurity expectations will reduce the likelihood that you will become the victim of a cyber attack through your supply chain.
By putting a vendor management policy into place immediately, you’ll know that your vendors take cybersecurity as seriously as you do.
If you’re using a “one-size fits all” approach to managing your vendor lifecycle, you are missing opportunities to save money and operate more efficiently. Vendor management efficiencies don’t end in the onboarding stage: using a...
If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...
During this dynamic and stressful workplace environment 2020 has brought us, finding the most efficient ways to perform in your job has never been more important. When it comes to managing your vendor lifecycle, there are three ways you...