The importance of vetting your vendors: Vendor risk management

In 2013 U.S. department store, Target, suffered a major breach. The breach resulted in 70 million customer records being stolen. These records included personally-identifying information (PII) as well as 40 million credit and debit card details. The impact of the breach was far-reaching and is still rumbling on. The latest problem to rear its head is a class action against Target from financial institutions which may result in pay-outs of around $67 million.

The Target breach was caused by a supplier in their supply chain; this supplier, an HVAC company, was spear phished. That is, specific employees in the supplier organization were targeted with a phishing email that tricked them into entering login credentials into a spoof site, which then sent them onto a hacker. These credentials turned out to be network credentials for Target’s own IT network. Before Target even had a whiff of a security issue, they’d lost the data and the rest is history.

The story above is a modern-day horror story, but one that brings into sharp relief the need to know your supplier and their operational practices. Vendor Risk Management, or VRM, is an increasingly important area of business risk mitigation. A modern company will often use multiple vendors to supply everything from machine parts to software applications. These vendors often have a very close relationship with an organization, even, like in the case of the Target suppliers, having privileged access to a privileged network. Vendors can be seen as an extension of your own company and as such, need to have the same stringent checks as you would place on your own employees and company dealings. Having a formalized strategy to deal with VRM is an important activity that helps reduce the risks that are associated with working with third parties.

Types of Risks in Vendor Relationships

The types of risks that an organization needs to be aware of when building a vendor relationship are:

1.     Data transfers: In nearly all vendor relationships you will have to share some sort of data. This may be data about joint customers, financial details, or even your own proprietary intellectual property. Data exchange and storage needs to be monitored and must adhere to the relevant compliance requirements of the industry, as well as any data protection and privacy laws that exist in your own and the vendor’s country.

2.     Network access: If you need to give your vendor access to your IT resources, such as access to databases, you should look at the security options for protecting this access, not just from phished credentials, but from insider threats too. In the case of credential theft, second-factor authentication measures such as key fobs, mobile-based, or other out-of-band methods can offer additional security. Insider threats are harder to prevent, but behavioral monitoring and employee vetting can help.

3.     Access to premises: As with network access risk, access to premises comes with its own challenges. Hacking sensitive data has become easier. For example, there is a USB key called RubbyDucky, costing less than $43, which allows anyone with access to company computers to extract sensitive data, including login credentials, in seconds. Ensuring that vendor access is closely monitored and computer and network access is managed is part of your overall security strategy.

Vendor Risk Management Strategy

There are a number of areas that you should look at when creating a strategy around VRM, from financial, to reputational, to operational. They should also include:

1.     Know Your Supplier (KYS): Make sure you have your supplier details such as primary contacts, tax information, business addresses and so on. This information forms the basis of your working relationship with the supplier and lets you build up supplier profiles and retain records on each. You can use software systems such as ERP and e-procurement, to track supplier performance and ensure you always have up to date information on your working relationship. You can extend your data collection on suppliers to keep news articles and general business information on them; information that could alert you to security breaches, or similar issues, that you can use to ensure your own data security. Analysts Aberdeen Group found that companies who closely, collate, store and track supplier data had better project outcomes and showed greater cost savings. McKinsey and Company have looked in-depth at how to best manage large vendor eco-systems. They suggest the use of work-flow to audit vendors and create programs of accountability.

2.     Security and compliance considerations: Price Warehouse Coopers in their report on, ‘Third Party Risk Management’ found that there has been an increase in security incidents that originated from a third party vendor. They attributed this to the fact that although 71% of the surveyed companies had effective internal security measures, only 32% of those required the same levels of security from their partner companies.

Security is something that has a domino effect across associated organizations. If one company becomes infected by malware, there is a higher chance an associated company will also suffer the infection. The Bring Your Own Device (BYOD) revolution has ensured the seamless proliferation of malware. If a vendor regularly uses their own device within your network and that device is infected, then your data is also at risk.

In addition, there are a number of regulatory drivers that push for greater security awareness across the supply chain. This is particularly true for companies that share data. Most countries have data protection laws and many, like the EU have stringent privacy laws. A number of countries and industry-specific compliance standards and laws need to be considered across all touchpoints of the company-vendor interface.

Vendor employee security vetting may also be a consideration under certain circumstances and dependent on the level of access required within a project. If a project requires access to sensitive company data, such as intellectual property, or even source code, the vendor employees should come under the same level of security vetting as your own internal employees. This may mean requiring individual non-disclosures and security checks.

Creating an Efficient and Effective Vendor Eco-System

The risk factors around our vendor eco-system are not something that we can just ignore. This is especially true for any areas that involve security and compliance. Our vendors are in many ways like an extension to our own business and as Cloud working and BYOD enter our enterprise arena, this is even more so. Improving control of your vendor management will ensure that your data and systems retain the same levels of security policies as you expect from your own internal strategy. This will allow you to adhere to the various compliance expectations and data security requirements. It will also mean that you mitigate the risk around security breaches, something that is becoming an urgent need for businesses of all sizes as the cyber threat landscape becomes ever more threatening.