The Importance Of Vendor Risk Management

Your cyber security is often only as good as the company you do business with




The importance of vendor risk management

In 2019, cybersecurity will continue to be a major source of investment across all industries. The cyber threat is complex and constantly changing, and a number of high profile cyber attacks in 2018 demonstrate the need for companies of all sizes to shore up their defenses and face the challenges posed by cyber attackers.

But, what is the major area of risks that companies often fall down on? Weak cybersecurity in supply chains and lax vendor risk management.

Like many facets of cybersecurity, third-party risk management is both crucial and subject to frequent change. Achieving high maturity and a stable, resilient security posture is the chief concern of today’s CISO or members of the enterprise team.

Why is vendor risk management important?

While many companies take internal cybersecurity seriously, the cybersecurity procedures of the vendors with whom they do business with every day are often overlooked.

RECOMMENDED: Top CISOs To Confer On Pressing Cyber Security Topics At ‘Exchange’

It is often the risk posed by third-parties and subcontractors that can be particularly problematic across all industries, especially in sensitive sectors such as Defence, pharmaceuticals and oil & gas.

Sectors such as these are characterized by a supply chain consisting of larger companies with the capability to secure themselves, and numerous SME’s that face a disproportionate cybersecurity challenge compared to their larger counterparts.

Whether a larger company likes it or not, third parties contractors are often the first line of defense – or else the first target. Whether an organization hires a third-party risk assessor, or they undertake their own assessment, it is vital that you are aware of the risk profile of the companies they interact with.  

The 10-person shop that only makes a small component in a much larger supply chain is not going to have the same resources to defend against persistent attackers. However, because that small manufacturer must take orders from a larger entity, there is inherent trust, and it allows for a higher success rate for both spear phishing attempts and lateral movement if the two companies happen to have a connection in their networks.

A collective defense is one of the largest and least well-tackled problems right now.

The aggregate vulnerability that is created by vendor relationships that are required to manufacture products and services is a huge concern.

Larger corporations can build capable defenses against everything but the most determined adversary. Unfortunately, these capabilities break down due to the extended and complicated supply chains and relationships that are now required to conduct business. Cyber attackers have always sought the path of least resistance to their targets, as the primary targets get better at cyber defense, the hackers simply went to the second-order providers.

RECOMMENDED: Third-Party Risk Dominates Day 1 Of Cyber Security – Financial Services Exchange

Chief Revenue Officer at CyberGRX, Scott Schneider, told the Cyber Security Hub that in ensuring data security in a third-party setting – somewhat at the network’s periphery – understanding where your data resides is a significant first step.

He said, “In addition to the data that you control, which of your third parties – including vendors, subsidiaries, service providers, joint marketing partners, call centers and cloud providers – have access to sensitive data?”

Schneider said that in addressing network gaps, the identification process continues: Who has access to data or your facilities, or even network? He advocated “due diligence” on each of the third-party controls, developing a closed loop process with the third-party ecosystem and embracing the more modern approach of continuous visibility of a third party’s security posture.

Expanding on this, national cybersecurity expert and the Director of Information Security Services at Integral Partners, Kayne McGladrey, told the Cyber Security Hub that, “If you’re breached by a third party, nobody cares that it’s the third party’s fault. It comes back to you.”

He continued: “It’s your fault for not having adequate controls. And the single easiest third-party control is around onboarding and off-boarding third-party accounts.”

Even if you’re rotating passwords, monitoring privileged access, auditing, etc., McGladrey said you must know, empirically, who’s accessing your network.

McGladrey said that one strong issue surrounding third-party access is shared accounts. That means, when outside contractors access enterprise data, they’re logging in with the same account.

“The way to get around that,” McGladrey told the Cyber Security Hub, “is to institute named accounts for vendors with third-party access… Have onboarding and off-boarding be both a legal agreement and a well-thought-out process. If an employee at a third-party organization leaves, or is suspended, their access should be immediately revoked.”

McGladrey continued: “The bottom line is, if somebody leaves, the account should not work any longer on third-party networks to which that account had access – especially if he/she was terminated for cause.”

RECOMMENDED: Third-Party Risk Dominates Day 1 Of Cyber Security – Financial Services Exchange

Upon a third-party breach, a capable organization would identify compromised accounts, lock them down and mitigate/limit the damage that the end-users sustain.

McGladrey said much of this hinges on early identification. If not, it’s almost as if you have a house “built in sand.”

|Indeed, today’s privacy environment introduces a new type of risk beyond traditional vectors. While security incidents and financial risk are traditionally viewed as high risk for breaches, data privacy risk increases the criticality of adequate vendor and third-party management.

Want to hear more about vendor risk management? 

Check out our online webinar 

Discover how to reconcile if your suppliers are compliant with the different global privacy regulations by taking a holistic approach to global vendor management. In this webinar, we will look specifically at how businesses can combine GDPR and California Consumer Privacy Act vendor requirements to streamline vendor management. 

  1. Understand the Vendor Management components of key regulations including the GDPR and California Consumer Privacy Act.

  2. Discover the requirements of a data controller and processor, accountability landscape under the GDPR and California Consumer Privacy Act.

  3. Review how the California Consumer Privacy Act vs GDPR identify personal data and applications of that data. 

  4. Rethink how businesses are managing and identifying vendor risk, liability and ongoing reassessment.