Vendor risk management (VRM) is a very broad category that encompasses all the measures an organization may take to prevent issues or business disruptions that arise due to vendor and third party relationships. Legal issues, past performance, and creditworthiness are some of the VRM issues small companies review most frequently—but cybersecurity should not be pushed to the back burner.
If your organization is just getting started with cybersecurity VRM, there are four key things you’ll want to consider—and we’ve outlined them in the vendor risk management checklist below.
First and foremost, you need to determine every vendor, contractor, third party, business unit, and partner that works with you. But simply having this list is not sufficient; you then need to tier those vendors based on criticality.
In order to tier them properly, you’ll need to determine which vendors have access to sensitive data or data that you have a legal obligation to protect. This might be personally identifiable information (PII) or other important customer data. Alternatively, the vendor may have a great deal of network access that they don’t need in order to do their job. (This is what happened in the infamous Target breach of 2013 that compromised the data of over 70 million customers.) If any vendor—large or small, critical or seemingly insignificant—has vast network access, a hacker can use that access to infiltrate your network and cause catastrophic damage.
To get a better idea of your vendor’s cybersecurity health, you’ll want to ask for documentation. You may also have them fill out a questionnaire, go for an on-site visit, perform a penetration test, etc. These assessment methods are common, but there are clear limits to the amount of information they provide. They only answer your questions for one specific point in time, and they don’t offer a view of the vendor’s dynamic cybersecurity posture.
If you’re a smaller organization—or if you’re just getting started with a vendor risk management checklist—you may not have the time or resources to administer all of these assessments. That’s where continuous monitoring comes in (see #4).
At this point, you’ll know which vendors should be deemed critical in regard to cybersecurity, and you’ll have a better idea of the cybersecurity posture of those vendors. Now you’ll want to go back through your vendor contracts and re-evaluate the following:
In addition, you should go into detail about when your vendor should notify you if there’s been a breach. Having all of this information will give you some peace of mind as your vendors handle your critical data.
As we mentioned in #2, traditional vendor assessments only give you a high-level look at a vendor’s security practices. Documentation is still important—and will continue to be in the future—but small and large organizations alike have realized that most vendors answer security questionnaires similarly, and the information alone isn’t actionable or verifiable.
Therefore, more companies are looking toward continuous monitoring assessment tools to add to their vendor risk management checklist. These tools provide the independent, quantitative approach to vendor risk management you need to help take even a small company to the next level of security performance.
As a small company, you may be limited in personnel and resources to dedicate to your vendor risk management framework. But if you are able to make the four best practices listed above a priority—and focus on completing each step with as much care as possible–you’ll be putting your company’s cybersecurity in a good position.
