Are vendors threatening your information security?
When surveyed, 97% of security professionals agreed that cybersecurity risks posed by third-party vendors are a major concern. But only 30% of organizations are taking active steps to manage their vendor risk.
We hosted a webinar recently with Evan Francen, the CEO and Founder of FRSecure and SecurityStudio, to discuss why vendor risk management is important and how to put together a vendor risk management program.
Francen’s expertise on the topic of information security comes from years of experience solving complex security problems for companies like US Bank and Target, including having built Wells Fargo’s vendor risk management program in the mid-2000s.
Why is vendor risk management important, and how can your organization get started?
What Is Vendor Risk Management?
Vendor risk management involves asking questions of your third-party vendors to confirm whether and how they are secure, and tracking and documenting their responses. This is done so if the vendor suffers a security incident that impacts your organization, you have proof that you took every step in your power to hold their security accountable.
In his webinar, Francen explains how Target has become the poster child for why we need vendor risk management. Back in 2013, Target was breached by a vendor working with their HVAC system. The breach was all over the news and is easy to reference in a cybersecurity conversation because almost most people remember it.
Francen served on the special litigation committee following the breach. As he explained in the webinar, in one of the many lawsuits from the Target breach, Target shareholders sued the board of directors. The shareholders said the board of directors didn’t manage assets well and didn’t make sure their vendors were secure, which resulted in the breach.
Why Is Vendor Risk Management Important?
Francen has sat on both sides of the table when liability is questioned after a vendor-related security issue. He's seen first-hand that ignorance is not defensible anymore. It used to be. It wasn't that long ago, maybe five years ago, that an organization could claim they didn't know any better. Today, that doesn't fly. If you're not doing any vendor risk management at all and just claiming you didn't know that it was a problem, that'll get you in trouble.
Back to the statistics that began this post: nearly 97% of security professionals say that cyber risk affecting third party vendors is a major issue. But only 30% of organizations have a vendor risk management program in place.
This needs to change. If your organization is not doing vendor risk management today, it's time to start. Even if it’s just a manual process, pick three of your top vendors and start today.
How to Do Vendor Risk Management
Vendor Risk Management is simple. It's really a lot simpler than people make it out to be. Francen uses the analogy that you can't fix a car without diagnosing the problem first. You also can't fix a security program without diagnosing the weaknesses first, so an assessment needs to be done.
The challenge for many organizations is: How do we do those assessments? Francen laid out this four-step process for vendor risk management in his webinar.
Learn More About Cybersecurity Solutions
Read Next: Four Steps to Vendor Risk Management
Loffler Companies is the largest privately owned business technology and services organization in the Upper Midwest. We are dedicated to providing innovative solutions and managed services to drive business for organizations of all sizes. Our offerings include IT Professional and Managed Services, Multi-Functional Copiers and Printers, Managed Print Services, Unified Communications, Software and Workflow Technologies, and Onsite People-Based Services.
