Four Steps to Vendor Risk Management
If you lend your neighbor your cell phone, you’re taking a risk. How do you know the phone won’t come back cracked?
To lower your risk, you’re likely to ask some questions about how they'll care for it:
- What are they going to do with your phone?
- Where are they going to keep it?
- Are they going to just leave it sitting out in their car?
We ask questions like these naturally in personal relationships. Vendor risk management simply means taking that mentality and applying it to business: systemizing and operationalizing the process.
Four Steps to Vendor Risk Management
Evan Francen, the Founder and CEO of SecurityStudio, used this cell phone example in a recent webinar he did with Loffler on vendor risk management. In the webinar, he explained how you take on risk when you do business with third-party vendors. If they were to be attacked with malware, how do you hold them accountable to keep you secure?
Francen detailed how businesses can keep the process simple with four steps. The challenge, he said, is to do the four steps in the most cost effective, capable manner possible.
Step One: Start with a Vendor Inventory
You can't possibly protect things you don't know you have. It's important to take inventory of your vendors, which is usually an eye-opening experience. Many companies think they only have just a handful of vendors. Then they go and find out who they're paying. They're either paying for a vendor through invoices, employee reimbursements or credit card statements. When you start going through those, you realize just how many vendors you have. It could be a hundred.
You need to go through this process of doing a real inventory on the front-end, and then if you want to keep that inventory current, you'll have to have some sort of an onboarding process for third parties to add them to the inventory.
Step Two: Classify Vendors as Low, Medium or High Risk
Once you have your inventory, you classify vendors as low, medium or high risk. Usually in a classification, you want to keep the questions to 10 characteristics or less. The classification is a very simple process. It needs to be fast. It needs to have questions or characteristics that anybody can answer. It needs to be objective.
Of those one hundred vendors, maybe only five to 20 have high enough inherent risk that you need to ask them additional questions (in step three, below) to confirm they will keep you secure.
Most of the vendors will filter out as low risk and be recycled. The reason you need to recycle them is once a year, or once every six months, whatever process you decide to follow, you need to make sure that the relationship is still what it was back then. Sometimes we expand services; sometimes we change things over the course of the relationship. The trick is doing this efficiently either through a tool or manually.
Step Three: Assess Vendor Risk
This is the actual risk assessment. The only vendors that get assessments are the high- and medium-risk vendors. You don't need to send assessments to a vendor you’ve classified as low risk.
The assessment (as well as the classification step above) should use metrics to strengthen your determination of risk. Francen advises not using subjective criteria because subjective criteria become much more difficult to defend. 63% of all breaches happen through third-party vendors. If this happens to you, you’ll need to defend what you did (via your vendor risk management program) to protect against that. It's easier to defend a process with objective criteria than it is to defend subjective thoughts and judgment.
Step Four: Make the Decision
Once you've gotten to this step in the process, now you can make a judgment call on which vendors are taking adequate security measures, and which need to improve. Here, you can decide if any vendors hold too much risk and whether you should work with them.
Keep in mind that upon a breach caused by a vendor, you'll need to defend how you defined risk. We live in a litigious society where compliance requirements are not going away; they're getting more and more strict. Being in a defensible position becomes important.
At SecurityStudio, Francen has worked with many lawyers on incident responses, and he knows what questions are raised in the event of a breach. The lawyers will try to find out what a reasonable person would do, faced with the same information. If you fall below that bar, they tend to call that negligence. If you're above that bar, you're probably going to be protected from some liability.
Any vendor risk management program must include the four steps listed above. Anything less than those four steps ends up being a shortcut and shortcuts are less defensible in the event of a data breach.
You can do all of this manually, by using spreadsheets, calendars and reminders. It can be difficult to keep it all organized, to follow up when you’re supposed to follow up, to remember if you got a spreadsheet back or if it’s still in your email. As Francen explained, manual processes are certainly error prone and they're expensive. Francen’s company, SecurityStudio, offers managed software to track and manage your vendor risk. He created the tool as a cost-effective way to do manage vendor risk without taking shortcuts.
If you're not doing vendor risk management today, Francen’s advice is to start now. Start with one, two or three vendors. Start with a manual process. Start with a tool, like SecurityStudio’s software (this is just one cybersecurity solution that is easily outsourced to an MSP). The point is, just start.
Loffler Companies is the largest privately owned business technology and services organization in the Upper Midwest. We are dedicated to providing innovative solutions and managed services to drive business for organizations of all sizes. Our offerings include IT Professional and Managed Services, Multi-Functional Copiers and Printers, Managed Print Services, Unified Communications, Software and Workflow Technologies, and Onsite People-Based Services.