Why Vendor Risk Management Matters
March 09, 2021 by Loren LaChapelle
In late 2020, SolarWinds, a massive tech company that does IT monitoring and provides IT management tools to organizations across the globe, discovered they had been the victim of a substantial data breach. It was determined that criminals had access to their systems for months before being detected.
The hackers were able to insert malicious code into an update for one of their popular software products. Many of SolarWinds’ clients – like the U.S. Treasury, State, Energy, and Commerce Departments, the Pentagon, and private companies such as Microsoft and FireEye – downloaded the tainted update which gave the hackers access to their networks as well.
Although it’s still under investigation, this data breach is considered by most to be the biggest of all time. The 250 (and counting) networks that were compromised are some of the last organizations we would ever want foreign cybercriminals getting access to. Highly sensitive information is held at these government agencies, and most organizations use Microsoft, so ultimately, the risk can trickle down to organizations that work with any of the affected parties.
This attack is a great lesson in why organizations should incorporate vendor and supply risk management into their cybersecurity program. Without oversight, problems can escalate quickly if one of the third parties your organization works with gets breached. Let’s review the basics of a vendor management program.
The Basics of a Vendor Management Program
It’s important to ensure you have a plan to assess and track your vendors.
You can take the following steps to assess your vendors:
- Identify your vendors and prioritize by risk. It’s important to identify all vendors that have access to customer and/or sensitive data, as well as those who have access to your network. Next you want to rank your vendors according to the risk associated with the relationship. Not all vendors are created equal when it comes to risk. You’ll find that some will be critical to your organization and require high levels of trust to work with, and others might have more leeway if they’re not as critical to your operations. Your policy should contain several risk classifications, depending on regulatory requirements and best practices.
- Perform due diligence. Use this process to determine the cybersecurity resiliency of your vendors, including controls in place, business continuity plans, incident response programs, vulnerability and breach notification standards, etc. Part of your due diligence process also includes collecting documentation and evidence from vendors and developing contract language that requires the behaviors and controls you deem necessary.
- Determine if you accept the risk of working with each vendor. Once you’ve reviewed vendors’ materials, it is up to your organization to decide if you want to work with them. After doing your due diligence, if you find that they are missing controls in some areas, you should contact them to see if they can make improvements to those areas.
Many organizations work with a large number of vendors and third parties. You should also be tracking your vendors to ensure your internal information is still accurate. You can do this by:
- Keeping an updated record of active vendors. Larger organizations can have dozens (or more) vendors, especially when there are multiple offices or departments involved. If you aren’t keeping track of all your organization's vendors, it can be easy for one of them to slip through the cracks … especially if it’s an application that’s not widely used by everyone in your organization.
- Schedule regular reviews of vendors. In addition to keeping an updated list of vendors you work with, it’s also necessary to audit them regularly. Cybersecurity programs need to be constantly updated to meet evolving threats and best practices, so you need to check in on vendors' security controls regularly.
Three Common Vendor Management Mistakes
Now that we’ve reviewed the basics of vendor management, we’ll look back on the SolarWinds breach and uncover the three common mistakes that were made by the impacted groups.
- Organizations didn’t know their vendors. Many compromised SolarWinds clients didn’t even realize they were using the compromised SolarWinds product until a list of those impacted was released.
- Assumptions were made about vendor security. It is clear now that many impacted automatically trusted SolarWinds. Since they are a large enterprise, affected organizations likely thought that they were big enough to have extremely tight security controls. Always do your due diligence on a vendor.
- Affected groups likely relied on a one-time assessment. It’s possible that SolarWinds passed initial reviews from affected parties; however, many likely only assessed the SolarWinds product once. You should never expect an assessment from a few years ago to still be valid today.
The full impact of the SolarWinds breach is yet to be determined, but we can still use it to illustrate just how important it is for every organization to incorporate vendor management into their cybersecurity program. If you always have a pulse on your vendors by periodically assessing and tracking their security measures, you will reduce the risk of your own organization getting breached, even if a vendor does. Learn more about the benefits of a vendor management program here.