A vendor management policy is put in place so an organization can tier their vendors based on risk. A policy like this identifies which vendors put the organization most at risk and then expresses which controls the company will implement to lessen this risk. These controls might include rewriting all contracts to ensure vendors meet a certain level of security or implementing an annual inspection.
That all probably sounds pretty good, but you may still be wondering: Why should you have a vendor management policy—and why is it urgent? These four explanations will give you a better idea.
Why You Need A Vendor Management Policy
1. You could get sued.
There are a growing number of legal requirements in a variety of sectors—from finance, to retail, to health care, to energy—on how companies should manage their third-party risk. Regulators have recognized that data breaches through third parties can present a significant and sometimes catastrophic consequence to an organization and have created various legal requirements in an effort to have organizations manage their third-party cyber risks more carefully. If you don’t have a vendor management policy today and you’re in a regulated industry, you could be out of compliance (and in a lot of trouble).
2. You’re a target.
An organization should be concerned about third parties that have either access to their most sensitive data or direct access into their corporate network. So if you’re working with a lot of third parties, you’re naturally creating more targets that hackers and criminals can exploit. This is becoming more common, because organizations are outsourcing to vendors more frequently in an effort to either save costs or capitalize on vendor expertise. And while that’s all well and good, the more vendors you have, the larger risk landscape you create. This is a well-known risk—but all too many companies don’t give it enough thought.
3. You have vulnerabilities you don’t even know about.
Not all risks are easily understandable. Many organizations today have entered into business relationships with third parties not fully understanding what the risk to their data is. And what’s more, the first party may not have set requirements for how their vendors should secure their data. A lot of organizations struggle with even knowing who has access to their sensitive data, how much access they have, where it resides, and more. These “unknowns” give plenty of folks a valid reason for concern.
4. You might face some severe consequences.
To see how very real the consequences of not managing vendor policy are, simply read some of the latest cybersecurity headlines. An example that demonstrates the significant impact of a third-party breach is the recent Experian breach, which exposed the personally identifiable information of over 15 million consumers. In this case, Experian was holding loads of sensitive T-Mobile customer data, which hackers were able to access. The T-Mobile CEO John Legere expressed how furious he was at Experian for being the source of this compromise. Nothing has been stated yet, but we’re certain that this business partnership will be reevaluated after this experience.
The truth is, if you don’t have a vendor management policy in place today, your company is being negligent. Unfortunately, not having a policy in place means that there’s a good chance your organization’s sensitive data may be handled by someone who shouldn’t have access to it. And this puts the health of your entire company on the line.
If the above reasons have convinced you to implement a vendor management policy immediately, do you know where to start? You might be feeling a little overwhelmed—and that’s where we step in. Below, we’ve outlined four tips that will get you started with your vendor management policy right away.
How To Create A Vendor Management Policy
1. Start by building a team.
It’s critical to have people from many different positions and perspectives on your vendor management team. Aside from upper management, you want to have someone from acquisitions and procurement, a lawyer, an IT security person, and someone representing the business unit, so you can understand the data. This team will be charged with taking on the next step, which is to gather a list of vendors and determine which of them are critical.
2. Gather a list of your vendors.
Keep in mind that the definition of a vendor isn’t as narrow as you might think. This all-encompassing list should include every third party, contractor, or associate your organization does business with or works in partnership with. Having a vague idea of which companies might make the list isn’t enough—you need to know exactly who these vendors are.
Once the list is compiled, you’ll begin the critical assessment process. You’ll need to determine which vendors:
- Have access to your sensitive and important data
- Have direct access to your corporate network
Once you’ve sorted out these vendors, they should be categorized as “critical.” These are the vendors you’ll want to spend the most time learning about and monitoring—because if one of these vendors is compromised in any way, and the hacker finds a backdoor into your organization through the vendor, the destruction to your data or network could be catastrophic.
3. Keep vendor management in mind during the diligence process.
At this point, you have already identified vendors you’re working with and whether or not they’re categorized as critical. But what about new vendors? A robust vendor management policy takes into account the vendors you’re looking to onboard, and it helps you determine whether or not you should do business with them. This is based on many things, but it should definitely take into consideration their cybersecurity standings. At BitSight, we offer time-limited access to our security ratings to help you determine whether a vendor relationship is worth pursuing.
4. Don’t forget to continuously monitor.
Vendor management doesn’t stop after the diligence process. Traditional vendor risk management assessment methods are subjective, unverifiable, and unactionable. Offering a glance at their cybersecurity one day of the year isn’t enough. You need a way to continue to monitor and verify if a third party’s security posture is consistently strong, and you need to be alerted to new risks and vulnerabilities in their network.
Building a vendor management program will give you confidence that you and your vendors are meeting the commonly expected standards of care. Continuously monitoring and working with your vendors to ensure they’re meeting your cybersecurity expectations will reduce the likelihood that you will become the victim of a cyber attack through your supply chain. By putting a policy into place immediately, you’ll know that your vendors take cybersecurity as seriously as you do.