Catching the Blind Spots of Vendor Risk Management

In today’s day and age, organizations understand that data breaches are a growing problem, but many fail to realize that a third party breach can impact them as much as a breach on their own network. Here we’ll examine several misconceptions surrounding vendor risk management (VRM), and how you can proactively create a strategy to avoid common pitfalls.

The Spread of Third Party Breach Disruptions

In October of 2016, multiple distributed denial-of-service (DDoS) attacks took place and targeted systems operated by the Domain Name System (DNS) provider Dyn. These massive attacks rendered major Internet platforms and services to be unavailable to large groups of users in both Europe and North America. In fact, 3,500 companies had at least one domain using Dyn, and 500 companies used Dyn for 100% of their domains. While not many knew of Dyn, a significant number of companies were impacted by this attack. This is a strong example of a hidden aggregate risk issue; one relatively unknown service provider ended up impacting a large number of companies, many of which could be in your vendor ecosystem.

The Dyn attacks reinforced the fact that these large scale disruptions are becoming more and more common. Now consider the WannaCry attack from March of this year, where hackers held hundreds of companies’ information at ransom and left organizations scrambling to ensure that their vendors were not affected. Many companies have been left wondering whether a third party with a weak security posture can make their own data vulnerable to attacks.

You may be thinking, “this does not affect me or my third parties.” The truth is, third party risk affects nearly every single company. There are several other misconceptions around VRM:

• My vendors are compliant with all regulations, no action needed.
• We haven’t had any breaches, we’re all set.
• We’re not focusing on vendor security at the moment. We don’t even have enough resources to focus on vendor risks.
• We already have our arms around our most important vendors. We're fine.

Impact Within the Business

So, why does this matter? Consider the Board of Directors. Because they are laser-focused on the health of the company, they are increasingly asking about cybersecurity and vendor security. This is driven by the increasing frequency of data breaches. The 2013 Target breach, for example, caused Board members everywhere ask, “could this happen to us?”

An increasing number of security leaders are being asked to present to executives on their security and risk programs. If CISOs can’t accurately represent the health of the company’s cybersecurity, they may not be able to fight for larger budgets and align the goals of cybersecurity with the goals of the business. This is a VRM blind spot: lack of reporting may lead to lack of budget, which will create gaps in your risk management approach.

In addition to the Board, regulators are also asking key questions about third party risk management. In fact, there have been quite a few regulations recently that have changed the regulatory landscape. Here are just a few regulations and frameworks to monitor over the next year:

• The next draft of the National Institute of Security and Technology (NIST) Cybersecurity Framework (CSF) is expected to include 3rd party risk management language.

• The Office of the Comptroller of Currency (OCC) recently instructed its regulators to examine a company’s third party risk management approach.

• The new SSAE-18, effective on May 1, 2017, includes language on fourth party risk management - managing the security of subcontractors. The fact that the new SSAE-18 includes this language demonstrates the evolution of the compliance and regulatory landscape.

• The General Data Protection Regulation (GDPR) will go into effect in May 2018. The GDPR replaces existing European data privacy laws and covers anyone doing business in Europe, and will inevitably put pressure on companies in the United States who do business overseas. The GDPR’s proposed penalty fines will encourage companies to be vigilant about their compliance with these regulations, as well as their third party vendors’ compliance. Organizations run the risk of being heavily fined if their vendors do not adhere to the new regulations.

Recommendations

Despite the common misconceptions associated with third party risk management, what can you do to avoid VRM pitfalls?

• Build your program to scale. The security landscape will continue to change, demands from the business and externally will grow. It’s critical to be able to remain agile enough to scale your VRM program to meet these various needs.

• Identify and prioritize efforts on your vendors with the highest level of risk. Categorize your vendors into tiers (ex: Tier 1, 2, 3). This will help your team treat each vendor with the appropriate level of due diligence depending on their criticality to your business. By simply changing the amount of data that you share through them, or moving your data centers in house, for example, could change how you approach the vendor.

• Implement a continuous monitoring program. The security of your vendors can change in an instant. You should not wait for an annual risk assessment to know the security health of your vendor-- you should always be monitoring them.

• Collaborate. The best way to approach a good relationship with vendors is through good collaboration, which is a critical part of a solid vendor risk management program. By using a collaborative approach to your vendor relationships, you will be able to have more productive discussions about both their security posture and yours.

• Provide a complete view of your vendor ecosystem and their performance over time. If you are improving your VRM program, you have to be able to measure and demonstrate this. You need metrics that you can share with the Board of Directors or other executives, which include a good way to visualize marked improvements. Don’t focus on a snapshot; provide more than just 6 months of data — aim for a year or more. This is where organizations can truly identify trends and patterns of concern.

• Leverage analytics. Explore aggregate security risk over time and identify the vendors in your supply chain, and their vendors. The same points made here about the value of VRM should carry over to your vendors. How well are they truly managing their vendors. The breadth and depth of the data you leverage, and the ability to automate this, matters.

Organizations are only as strong as their vendors. Today, it’s critical that companies evaluate the security of both third and fourth parties, and tailor their actions around implementing a vendor risk management strategy to avoid being impacted by blind spots.