Third-party vendor management policy is perhaps the most underrated component to a mature cybersecurity strategy. Last year, Becker’s Hospital IT reported startling statistics:
“Although data breaches are rare, almost half – 44 percent – are caused by third-party vendors, according to an esentire survey. Of the data breaches that happened from a vendor, only 15 percent of firms affected reported that the vendor informed them when a breach happened.”
More recent reports show that nearly 60% of security breaches occur through third-party vendors. As smaller analytics and IT support businesses grow more popular, the number of attack vectors increase.
Many small and medium-sized businesses think that they are immune from cyber attacks due to their size. But the reality is that most hackers don’t usually attack large organizations head-on. It makes more sense to infiltrate these corporations indirectly through the lax cybersecurity measures of smaller vendors.
If your company is like most businesses today, you’ve subcontracted much of your work to third party vendors. It’s critical that you know which vendors have access to what data and whether those vendors maintain reliable cybersecurity policies and procedures.
What is a Third-Party Vendor Management Policy?
A vendor management policy is a set of internal standards that dictate how a company will protect itself from cyber-attacks originating through third party vendor networks. This formal policy typically includes thorough documentation and a plan to implement controls across the organization.
The foundation to a sound vendor management policy is the policy documentation. This third- party vendor management handbook establishes every way in which decision-makers intend to select, manage, and assess outsourced solutions.
No vendor management policy should be completed without intensive, direct input from company owners (or board members) and the cybersecurity team. Shareholders often enlist the help of experienced technical writers to draft company policy into a working document.
After composing a third-party vendor management handbook, managers should oversee employee training. While most employees may not be held responsible for managing third party vendor relationships, they all have the ability to spot cybersecurity risk.
Your vendor management policy should give every employee the tools they need to spot and report cyber risks when and if they see them. Additionally, any discussion on cybersecurity is an opportunity to re-educate employees on cybersecurity preventative habits, such as being careful to always logout of work computers and avoiding emails from unknown senders.
Your third-party vendor management policy should establish compliance standards for anyone responsible for shopping or managing third-party vendor relationships. You will also want to create controls that rectify holes in security between your organization and the vendors to whom you subcontracts projects.
These third-party vendor compliance standards ensure that you know where your critical data goes, how to select vendors that meet internal compliance standards, and what to do should a vendor fail to meet those standards.
Key Elements to a Third-Party Vendor Management Policy
Your vendor risk management policy should include all the necessary criteria and controls to ensure that you’re not opening your company to attack vectors posed by vendors. Within your vendor management policies and procedures, you should outline:
- How you select your third-party vendors
- When and how you perform vendor risk assessments
- Necessary legal clauses to include in contracts with third-party vendors
- Cybersecurity risk reporting measures
- How your team will monitor vendor risk
Picking Your ThirdParty Vendors
As purchasing and project managers engage sales agents, cybersecurity should be a critical part of the conversation. The third-parties you partner with should be able to demonstrate how they properly manage their own cybersecurity risk.
It may be appropriate to request a copy of their cybersecurity policy or perform risk assessments on that vendor before agreeing to do business. Because you will be held liable for your customers’ lost or stolen data – regardless of whether a hacker breaches your or a vendor’s system – you should be as conscientious about a third-party’s security as if it were your own. If you have serious doubts about a vendor’s cybersecurity policies and procedures, you should move on to other vendors.
Performing Risk Assessments
Depending upon the scope of your business, you may not have a lot of power to wield with regards to your vendor’s security standards. However, there are many things that you can do to assess potential risks.
The first step when assessing third-party vendor risks is to prioritize which vendors have the most access to your network and hardware. Those vendors with the most access to company data pose the greatest risk.
After identifying those vendors with the most network access, you should discuss security policy with your vendors. Some organizations send questionnaires while others make in-person visits. The goal is to examine how seriously those vendors take cybersecurity.
You can also revisit service level agreements with those vendors and note anywhere they mention cybersecurity controls. Whether performing these assessments in house or with the help of a virtual security team, try to note any instance in which a vendor appears to be lax in upholding security policies.
Third-Party Vendor Contracts
When lining up new vendors or renegotiating contracts, it’s appropriate to include verbiage outlining cybersecurity expectations on behalf of your organization. The more you can incorporate your vendor management policy into third-party agreements, the better.
That said, you can’t bully your vendors into compliance. And it isn’t reasonable to expect that your third-party contractors will allow you to poke at their every vulnerability. By gauging the seriousness with which your vendors take cybersecurity, you will gain the assurance you need to protect your network from back-door attacks.
Reporting on Cybersecurity Risk Management
Some organizations – including third-party vendors – only examine their cybersecurity policies every few years. Since a great deal can happen technologically in that time, it makes more sense to reassess policies and controls more often.
Your cybersecurity team should provide regular reports (monthly, quarterly, etc.) that outline which vendor relationships make your network most vulnerable to cyber attacks. These reports might also include answers from vendor questionnaires on their cybersecurity policies and procedures.
Your vendor management policy should outline ways to enforce compliance for your purchasing and project managers. Since cyber attacks could happen at any time and infiltrate your network through your third-party relationships, everyone involved in vendor relations should understand the risk and take steps (as outlined above) to protect the business from lost/stolen data.
Because most organizations don’t have the payroll for both an IT department and a cybersecurity department, it often makes sense to solicit help from a cybersecurity provider. Agencies providing third-party risk management services can do the heavy lifting associated with third-party risk assessments and compliance monitoring.
Vendor Management Policy Best Practices
To build a successful vendor risk management policy, you’re going to need a few things. For many organizations, they’ve focused on building out their capabilities without consideration for how scaling a business presents a greater risk for cyber attack.
As you and your superiors begin putting together a vendor management policy, here is a list of policy best practices.
Create data maps.
Data maps clearly outline what information goes where. Additionally, it shows which vendors have access to the data. Be sure to keep in mind vendors that have access to logins, the premises, or network hardware.
The idea with data maps is not to penalize or decrease business with certain vendors. Rather, the objective of a data map is to be aware of all the possible attack vectors to your network.
Be mindful of consumer data privacy law.
If you serve consumers in Canada, Europe, or California, then you are subject to strict consumer data privacy laws. When seeking compliance to agencies like PIPEDA, GDPR, and CCPA, you need to also consider your vendors.
For example, under the CCPA, California residents are allowed to submit a deletion request to your organization. That means that any personally identifiable information (PII) you have on that consumer must be deleted. The same goes for any vendor or affiliate with whom you’ve shared information.
Part of your vendor management policy should include consumer rights under international consumer data privacy law. You could be prosecuted for the cybersecurity negligence of one of your vendors in the event of lost or stolen data.
Question your vendors about their cybersecurity policies and procedures.
You don’t want to be rude and intrusive, but you do have a right to know how seriously your vendors take their cybersecurity. Some businesses require their vendors to submit answers to surveys. These survey answers can help with cybersecurity audits and risk assessments.
But some vendors will not take impersonal surveys seriously. If it’s just a “check in the box” for them, then they may be conveying false information about the security of their network.
Instead, you can make it a habit to ask pointed questions to key members of your third-party vendor’s staff. Depending upon your professional relationship, it may also be appropriate to visit their campus and observe their security measures in person.
Discuss impact in monetary terms.
Sometimes, the battle for vendor management policy occurs within your organization. Cybersecurity spending doesn’t sound as appealing to executives as does enhancing sales-driven initiatives.
But the fact remains that one security breach could cost the company hundreds of thousands of dollars. Some data breaches are so bad that the business must close its doors or face ongoing civil lawsuits.
When you discuss vendor risk management policy with your superiors, it’s critical that you state the risks in dollars and cents terms. Using the FAIR model risk assessment, you can do this more effectively and motivate decision-makers to invest in third-party risk management.
Consider outsourcing your third party risk management tasks.
If your business is a small or medium-size business, it’s not financially viable to invest in a cybersecurity team. But thanks to virtual, outsourced cybersecurity companies, even shoe-string budget organizations enjoy the benefits of vCISOs and cybersecurity staff augmentation.
More specifically, third-party risk management services can help you create and maintain a reliable vendor management policy. Not only do these agencies do cybersecurity full-time, but they further understand the nature of cybersecurity in third-party relationships since they also operate as third-party vendors.
These outsourced solutions are more cost effective and agile. Additionally, they don’t suffer from the kind of tunnel vision that’s typical of cybersecurity managers and staff on company payroll.
Pay extra attention to unpatched software and phishing.
The two most common ways that a hacker infiltrates a network is through unpatched software and phishing attempts. Your third-party vendors should be aware of these dominating threats and demonstrate clear controls to address them.
Many cybersecurity threats would be non-existent if companies diligently patched software vulnerabilities. Sometimes, it’s as easy as keeping up with software updates. Other times, the vendor may need to have round-the-clock system monitoring.
When it comes to phishing attempts, the most effective way to resist these threats is by training employees. Untrained staff are more likely to click on the wrong link and invite malware onto the network holding your or your customers’ sensitive information.
Hold your organization to the same standard that it holds for third party vendors.
It’s ironic that some companies become so consumed with third-party vendor management policy that they neglect their own network. If you expect your vendors to maintain reliable security policies and procedures, then so should you.
Sometimes, decision-makers uncover vulnerabilities closer to home while in the process of developing vendor risk management policy. No matter how vulnerabilities present themselves, any discussion on cybersecurity is an opportunity to improve security wherever possible.
A strong vendor management policy could make the difference between smooth sailing and an epic security breach. It’s important to remember that more than half of hackers today try to infiltrate networks indirectly through third-party vendors. You should only partner with those vendors that take cybersecurity as seriously as you do.
At RSI Security, we understand that most businesses don’t have the payroll ability to build cybersecurity teams that oversee vendor management policy. That’s why we provide affordable third-party risk management services. Our remote experts can perform assessments on your vendors and help you minimize your cybersecurity risk.