By Delaney Moore   /   Apr 2nd, 2019

Vendor Risk Management - the Importance of Vendor Vetting

Most of us wouldn’t trust just anyone to watch our children, home, or pets, right? And we typically don’t hire just anyone who applies for employment, do we? What about the guy living out of his van offering low cost tax prep? Probably not your first choice this tax season.

It’s our instinct to take the time to look into these people and perform the due diligence and oversight necessary to assure us that we’re entrusting the right people with our assets. A similar approach needs to be taken when it comes to entrusting vendors with your organization’s systems and data, as well as your clients’ data! Vendor risk management assessments should be an important part of your cybersecurity plan.

Why implement a vendor risk management program?

While leveraging the multitude of third-party service offerings can greatly improve your organization’s efficiency, reduce overhead costs, and alleviate resource constraints, it also exposes your organization to a multitude of risks. All too often organizations default into an ‘out of sight, out of mind’ approach when it comes to whether vendors are prepared and capable of safeguarding their data, resulting in poor initial due diligence and little to no ongoing oversight. Other contributing factors include lack of time or knowledge around what to consider when selecting vendors.

Ultimately, regardless of what the reason might be, the fact is that if one of your vendors experiences a data breach, your organization is the one left to pick up the pieces. Your company bears the financial and operational consequences for vendor risk management, and will be viewed as responsible in the eyes of your clients. This could have a major negative impact on your organization’s reputation and ability to retain existing clients and attract new ones.

Here are a few real-world consequences related to poor vendor risk management:

  • When Target was breached, attackers gained access to the target network by compromising their third-party HVAC vendor’s poorly secured user account. This led to a breach of around 40 million card numbers, and the CEO and CIO both resigned as a result. Even though this breach occurred back in 2013, people still think of Target when they think of major retail credit card breaches.
  • The Netflix hack that resulted in the release of episodes from an upcoming new season of Orange Is The New Black that had not yet aired. This was a result of one of their contracted third party production firms being hacked.
  • The Ticketmaster breach in 2018 resulted from malware infecting a third party website chat support service, which resulted in the compromise of millions of customer payment records.
  • Atrium Health experienced a breach in 2018 due to compromise of its health care billing vendor’s database. This resulted in the exposure of over 2 million health records to attackers.

Companies can’t predict whether a vendor will have a security breach, and even performing the necessary due diligence will not provide a 100% guarantee that your company’s data is safe. Think about Equifax – How many companies reviewed Equifax’s SOC reports and internal policies without identifying any concerns? We have to accept the idea that risk is NEVER going to be eliminated, but it can be reduced with third party risk assessment and proper vendor selection. It is also important to be able to demonstrate that your company performed its due diligence.

Conducting a third party risk assessment

Here are some basic things to consider when conducting your initial due diligence prior to selecting a vendor:

What level of due diligence is required?

  • Perform an initial third party risk assessment and develop a risk rating system for vendors. Start by considering the sensitivity of the data and systems the vendor will have access to, and the data they will host on their own systems. Not all vendors are created equal. You should perform due diligence for all vendors, but there is no need to treat your office supply vendor the same as your accounting SaaS provider or data center provider. The higher the risk level, the more due diligence required.

There are many valid and accepted approaches to vendor risk rating systems that consider a variety of factors. For instance, some organizations choose to treat criticality and risk separately by assigning risk ratings to reflect the sensitivity of the data, and criticality ratings to reflect the data’s importance to operations Others use risk rating systems that consider both data sensitivity and business criticality to determine a vendor’s risk level.

  • Identify regulatory requirements: When regulated data is involved, take a deeper dive approach in reviewing each vendor’s security practices. Identify any regulatory requirements prior to launching due diligence procedures to help narrow down the pool of vendors, such as vendors who specialize in hosting regulated data types and are willing to sign specific agreements – such as Business Associate Agreements in the HIPAA world. Companies can also use the security requirements mandated by these regulations to establish a list of key security controls to focus on during the vetting process.

What should I focus on?

  • Review Cybersecurity Controls: LMG recommends focusing on security controls that are the most relevant to each vendor’s risk rating, whether that is the protection of sensitive data, regulatory compliance, or controls to support system and service availability. Key security controls to consider include:
    • Password requirements (Longer = Stronger)
    • Multifactor authentication for privileged accounts and exposed services
    • Role-based access control to your company’s data and systems
    • Strong encryption at rest and in transit. Confirm whether you or the vendor holds the encryption key.
    • Physical security controls (data centers)
    • Patch management and regular vulnerability scanning
    • Network architecture and boundary protections
    • Audit logging capabilities
    • Active security monitoring
    • Regular third party audits and penetration tests
    • Backups and other resilience planning

When collecting security information it is ideal if vendors can provide third party security assessment or audit reports. Many vendors undergo periodic third party risk assessments or audits, and are willing to provide these reports or letters of attestation upon request. Other sources for information may include a Standardized Information Gathering (SIG) questionnaire, meeting with the vendors, reviewing each vendor’s policies and procedures, and more.

  • Consider business disruptions: Protecting the confidentiality of data is important, but it also important that organizations run efficiently and effectively. For critical vendors that you rely on for major business functions, look deeper into their contingency planning program, implemented redundancies, and how they would support your company in specific situations. Do they define RTOs as part of SLAs? Is their 24/7 support staff? Do they have immediate fail-over capabilities to alternate sites if you can’t afford downtime? Do they perform (AND test) backups regularly? Could the vendor be easily replaced if needed?

It is important to remember that there are other elements to consider during the vetting processes, for instance, whether 4th parties will have access to your data and the vendors own vendor management practices. Organizations should also consider including contract terms, such as: security relevant clauses, right to audits, and incident response or breach notification requirements.

Clearly there is a lot to consider when initially vetting a vendor and establishing an effective vendor risk management program, but based on real-world examples in the news, this is not a topic that organizations can safely avoid. Contact us for help setting up a vendor risk management program, or if you are looking for help performing vendor vetting.

About the Author

Delaney Moore

Delaney is a Senior Security Consultant with LMG Security.  Delaney’s focus is within LMG’s Compliance and Advisory services, where she assesses organizations’ security programs using well-known  frameworks such as the NIST Cybersecurity Framework and ISO 27001, and assesses their compliance with regulatory standards such as the HIPAA Security Rule.  Delaney is experienced in both onsite and remote social engineering, cybersecurity policy and procedure development, vendor risk management, and facilitating security training exercises such as incident response tabletop exercises. She holds her bachelor’s degree from the University of Montana in Management Information Systems, and is a Certified Information Systems Auditor (CISA).