Today's IT playing field implores a higher state of alertness, not only within your enterprise but also outside of it. Consider your IT vendors. Critical to your success, they bring strategic business partnerships and a level of knowledge capital to an increasingly complex environment. However, when it comes security, not all vendors are created equal. Some very likely have inferior security hygiene and practices that can affect you big time.
Accordingly, implementing a successful vendor risk-management program is a crucial component to every cybersecurity strategy. In a March 2018 article, “A New Posture for Cybersecurity in a Networked World," Thomas Poppensieker and Rolf Riemenschnitter of McKinsey and Company posit that what you have in place as a bulwark against security risk and compromise may not be enough, given your third-party suppliers:
"Companies may well have a state-of-the-art firewall and the latest malware-detection software. And they might have well-tuned security operations and incident-response processes," they state. "But what about third-party suppliers, which might be the weakest link of a company’s value chain? Or the hotshot design studio that has access to the company’s intellectual property (IP)? They may have signed a nondisclosure agreement, but can companies be sure their cybersecurity is up to snuff? The entry point for cyber-attackers can be as trivial as a Wi-Fi-enabled camera used to take pictures at a corporate retreat. Some prominent recent cases of IP theft at media companies targeted third-party postproduction services with inferior cybersecurity."
So where does today's security practitioner start when it comes to creating a vendor risk-management program? Below are six best practices and advice offered by Baan Alsinawi, president of TalaTek, an integrated risk-management provider.
"As a first step, security practitioners should start with understanding their own critical assets or data,” says Alsinawi. “For example, most enterprises have employee records, financial data, and corporate-sensitive information that are all critical assets. Next, they should classify their data by what matters most to least."
According to Alsinawi, this is only a starting point. It's important for the parent company to know the permutations of mishaps and security breaches possible with a contracted vendor and safeguard against them.
Adds Alsinawi: "From here, enterprises need to understand what vendor has access to its own organization’s data, then decide what’s the business impact of a possible data loss caused by multiple scenarios.” These situations can include a power outage at the data center, a vendor that is no longer available due to bankruptcy or merger, or an unauthorized access by a vendor’s employee.
Next, design a risk-management program based on data criticality, threat vectors and risk tolerance. Continues Alsinawi, "You are the owner of your own data, and responsible for protecting it through its life cycle, from creation through decommissioning. You can outsource your business functions, but you cannot outsource your responsibility for protecting the data!"
Additionally, Alsinawi recommends developing strict policies and rules of behavior. This might include a routine change of passwords and encryption keys when employees leave. "Also establish legal agreements that align with your risk-management strategies and be sure to consider if your data is governed by different standards in other countries for compliance and legal impact."
Who should be involved in vendor risk management? Everyone, says Alsinawi. But you need to establish an order in approaching and working with vendors, particularly when the enterprise is wide and deep, with vendors performing in different functional areas throughout.
"We advise clients to develop a plan based on RASCI (Responsible, Accountable, Supportive, Consulted, and Informed) to determine who needs to do what as it relates to managing your risk-management program," she says. Involving everyone, however, does require leadership. This leadership needs to remain accountable for ensuring a program not only gets implemented but also invokes compliance. "So accountability should be assigned to senior executives in the organization," she explains. "What’s more, the entire team should be informed. Making everyone aware and sharing the rules of behavior as well as the compliance standards should touch most individuals in the organization."
Good security hygiene with vendors is crucial. Alsinawi offers the following list of best practices as a minimum to develop a foundational risk-management program:
The problem of security risk management of third parties and supplier governance is pervasive. It seems much work needs to be done by most enterprises. In Deloitte's Extended Enterprise Risk Management Global Survey 2018, they found few respondents that are on top of their vendor risk management. "Only 2 percent of respondents regularly identify and monitor their sub-contractors while another 10 percent do so only for those sub-contractors identified as critical."
Deloitte also points out that vendor risk does not end with the prime contractor. Risk exists with several layers beneath the prime - sometimes at the fourth or fifth tier.
They state, "Only 18 percent of organizations periodically review the concentration risk associated with their fourth/fifth parties quarterly or half-yearly; while the vast majority (82 percent) review this annually or even less frequently, making it a matter or serious regulatory concern in the highly regulated industries."
Often vendor customers are regulated, but the vendors are not. “Disruptive incidents globally are increasingly confirming that these suppliers have themselves been much less focused on bringing in a holistic and integrated approach to their own third-party ecosystem than their customers, as many of these customers may be subject to third-party regulation in their respective industry segments which the suppliers or sub-contractors are not."
The financial services industry, for example, is highly regulated. But what about legal firms contracted to such firms – are they regulated?
According to Accenture Consulting in their report Third-Party Risk Discipline for Legal Departments, this pointed example presents a security vulnerability.
Accenture states: “The demand to secure customer personal information and client data is being driven both by clients and regulators. Financial services firms often need to share sensitive client data, firm data, and non-public market-moving data (that is, data related to a merger, acquisition or initial public offering) with legal institutions as part of the work being conducted by outside counsel. While the storage of this data itself creates a demand for third‑party controls, the need for data security controls is greater because law firms tend to be larger targets for cyber‑attacks and often do not have the defenses in place to protect themselves and secure the data.”
It’s important to keep in mind that managing vendor risk means taking a close look at third parties and beyond. Plus, don’t rely on the premise that the industry is regulated, therefore all the vendors are also regulated and controlled.
In summary, vendor risk management is a challenging task, but an important and serious one. Regardless of the landscape of your IT ecosystem and its many vendors, the best defense is a strong offense via a smart vendor risk-management program.