Vendor risk management (VRM) is a very broad category that encompasses all the measures an organization may take to prevent issues or business disruptions that arise due to vendor and third party relationships. Legal issues, past performance, and creditworthiness are some of the VRM issues small companies review most frequently—but cybersecurity should not be pushed to the back burner.
If your organization is just getting started with cybersecurity VRM, there are four key things you’ll want to consider—and we’ve outlined them in the vendor risk management checklist below.
A Vendor Risk Management Checklist For Small Companies
1. Identify and tier your third parties. 
First and foremost, you need to determine every vendor, contractor, third party, business unit, and partner that works with you. But simply having this list is not sufficient; you then need to tier those vendors based on criticality.
In order to tier them properly, you’ll need to determine which vendors have access to sensitive data or data that you have a legal obligation to protect. This might be personally identifiable information (PII) or other important customer data. Alternatively, the vendor may have a great deal of network access that they don’t need in order to do their job. (This is what happened in the infamous Target breach of 2013 that compromised the data of over 70 million customers.) If any vendor—large or small, critical or seemingly insignificant—has vast network access, a hacker can use that access to infiltrate your network and cause catastrophic damage.
2. Assess the cybersecurity of your third parties.
To get a better idea of your vendor’s cybersecurity health, you’ll want to ask for documentation. You may also have them fill out a questionnaire, go for an on-site visit, perform a penetration test, etc. These assessment methods are common, but there are clear limits to the amount of information they provide. They only answer your questions for one specific point in time, and they don’t offer a view of the vendor’s dynamic cybersecurity posture.
Looking to streamline your vendor risk management process? Take a look at these tools and techniques.
If you’re a smaller organization—or if you’re just getting started with a vendor risk management checklist—you may not have the time or resources to administer all of these assessments. That’s where continuous monitoring comes in (see #4).
3. Take a look at your contracts.
At this point, you’ll know which vendors should be deemed critical in regard to cybersecurity, and you’ll have a better idea of the cybersecurity posture of those vendors. Now you’ll want to go back through your vendor contracts and re-evaluate the following:
- What types of things do you want to hold your vendors accountable for?
- What level of security should your vendors meet?
- What standards do you want your vendors to abide by?
In addition, you should go into detail about when your vendor should notify you if there’s been a breach. Having all of this information will give you some peace of mind as your vendors handle your critical data.
4. Employ the use of continuous monitoring services.
As we mentioned in #2, traditional vendor assessments only give you a high-level look at a vendor’s security practices. Documentation is still important—and will continue to be in the future—but small and large organizations alike have realized that most vendors answer security questionnaires similarly, and the information alone isn’t actionable or verifiable.
Therefore, more companies are looking toward continuous monitoring assessment tools to add to their vendor risk management checklist. These tools provide the independent, quantitative approach to vendor risk management you need to help take even a small company to the next level of security performance.
A Brief Reminder
As a small company, you may be limited in personnel and resources to dedicate to your vendor risk management framework. But if you are able to make the four best practices listed above a priority—and focus on completing each step with as much care as possible–you’ll be putting your company’s cybersecurity in a good position.
