Three Practical Steps to Launch Your Vendor Risk Management Program

Who can forget Target Corporation’s massive security breach in 2013? However, did you know that the attack started when Fazio Mechanical, a small heating and air conditioning company in Pennsylvania that worked with Target, got its own vulnerability exploited via emailed malware?

In this intrusion, the thieves managed to steal the VPN credentials Fazio technicians used to connect remotely to Target’s network and eventually gained access to 40 million Target customer and credit card accounts. Often overlooked in this story is that Target Corp. hired Verizon’s security experts to scan its network for vulnerabilities in the days before the massive hack. The confidential findings, released in 2015, confirmed what experts had long suspected: Once inside Target’s network, nothing could prevent an attacker from having direct and full access to every checkout at every Target store.

According to an internal company report circulated among research teams in the Cybersecurity community, Target commissioned a “pending litigation” study on banks that may have sued the retailer to reimburse their customers for card re-issuance costs.

Verizon’s assessment, lasting through December 21, 2013, and March 1, 2014, reported: “no controls limiting their access to any system, including in-store devices such as logs, servers, and points of sale (POS) terminals.” The report states that Verizon consultants can communicate directly with storage logs and servers from the main network. In one case, they were able to contact cash registers in the checkout aisles directly after compromising a sausage scale located in another store.

Ultimately, in 2017 Target agreed to pay $18.5 million to resolve complaints from 47 states and the District of Columbia.

The above should remind all organizations that developing a good supplier risk management program is necessary. It was a must already in 2013 when Target was compromised, but nearly ten years later, it’s an absolute must for any organization managing sensitive data among multiple vendor relationships.

The Reason Vendor Risk Management Is Important

Managing all types of risk is an essential part of building and maintaining a successful business in 2022. Effective supplier risk management is vital for companies increasingly interconnected by technology and supply chains that expand not only across territories or countries, but even across the globe. Developing a risk management process to identify and mitigate risks includes considering areas as diverse as cybersecurity, regulatory compliance, supplier relationship management, and a thorough assessment of third-party risks. You can create a successful supplier risk management program with the right technology, tools, and sound planning to address general supplier risk management challenges and business process improvement. The goal of such programs is simple: to monitor, manage, and mitigate the risks associated with relationships with third-party vendors and IT professionals. If appropriately implemented, vendor risk management employs a clear set of policies and processes that support the elimination of additional risk and the mitigation of any that already exists, including:

• Extensive damage to the organization’s reputation.
• Unpredictable legal liability.
• Organizational decisions based on incorrect data.
• Data leaks leading to the disclosure of confidential information.

With globalization and ubiquitous digital transformation, supplier risk management is more than just managing suppliers in the supply chain. To reduce costs and increase flexibility and profitability, many companies outsource critical business processes to third parties aiming at strategic improvements to their operations and reducing costs by reducing overhead and labor costs.

However, some (or perhaps many) third-party providers have a corresponding number of third-party security risks. Sometimes they aren’t even aware of their security posture and the potential security breaches, cyberattacks, and other data security concerns, as well as regulatory compliance issues to which they expose their partners. Therefore, the information technology (IT) capabilities, information security, and cybersecurity of the suppliers you choose for services and supplies must be as trustworthy and reliable as your own, if not better.

Implementing a comprehensive and detailed supplier selection process will filter out high-risk suppliers that may end up overlooked. It will also allow you to optimize your existing supplier list to ensure that all of your suppliers take security, performance, and compliance as seriously as you do.

Three Steps to Develop Your Vendor Risk Management Program

The needs of your business depend on your organizational type and industry. Still, any organization, even non-profits and government, can develop an effective supplier risk management program on a solid foundation based on a set of proven best practices. Swimming in the potentially treacherous waters of a third-party risk management process without first setting a course can lead you to a rock of regret pretty quickly. I offer three easy to apply and very practical steps any organization can take towards launching their vendor risk management program:

1. Step One: Define Your Policies, Program, and Process

Before you begin, decide how to manage your vendor risk assessment as part of vendor risk management by defining your:

• Policies: these should contain general and objective recommendations for third-party risk management.
• Program: provides a framework and structure for all stakeholders to identify risks, address them, and measure the success of corrective actions for further refinement.
• Process: the detailing of daily activities, responsibilities, and specific workflows.

2. Step Two: Define Objective Vendor Selection Standards

Whether a key supplier or a service provider that manages business processes, each supplier must undergo a thorough risk assessment before being added to the supply chain or service list.

Implementing a comprehensive and detailed vendor selection process will filter out high-risk vendors that might otherwise go unnoticed. Doing this will allow you to refine your existing list of vendors to ensure that all of your vendors value security, performance, and compliance as much as they do.

Objective Vendor Selection Standards will vary from one organization to another but should include the following:

• Conduct a complete inventory of all third-party vendors. Include due diligence in your evaluations of new potential suppliers.
• Perform a thorough risk assessment of all vendors to identify and drill down into the cybersecurity, information security, regulatory compliance, reputation, and other data security risks that each vendor poses to your business.
• Organize your vendors according to their potential levels of risk broken down by service levels. Separate those whose risk level can be reduced by remediation and remove those whose risk profile exceeds your company’s acceptable risk level.
• Develop a set of formalized contractual standards that you can use as a starting point for establishing or (re)evaluating all relationships with third parties. The following need to be clear:

Responsibilities of both the seller and your company throughout the duration of your relationship, as well as rewards for exceeding standards and penalties for non-compliance.

A formalized process for submitting, monitoring, and modifying contracts in line with (re)negotiations and other changing circumstances.

Working with the right staff, create a set of processes that automatically analyze exposure to potential new vendors with clear performance and compliance benchmarks. Ideally, this system will allow real-time assessment of these factors for both potential and existing suppliers to prevent unpleasant surprises. Using a solution like S2Vendor from Security Studio can help by automating approval workflows, providing a supplier portal that connects suppliers to the system for greater transparency, and real-time data analytics for measuring supplier key performance indicators (KPIs).

3. Step Three: Communicate and Embrace Cultural Change Every organization needs to understand that improving security requires a cultural change. Organizations need to communicate this change repeatedly, and it needs to be embraced by the company and its vendors and suppliers. Whereas one-off due diligence was the norm in the past, a successful vendor risk management program is a journey, not an event.

One great benefit of pursuing a cultural change around security is the improvement it brings in reporting and collaboration. Everyone involved in the process has appropriate access to critical information and can create custom reports and dashboards on demand. The completer and more transparent the risk assessment, communication, and audit processes are, the more reliable your business is.

George Bakalov is the Director of Security and Solutions at IMPACT Group, a leading Twin Cities Managed Service Provider, helping Minnesota-based organizations manage through and navigate the complexities and challenges of IT, among which is cybersecurity. Click here to get in touch with our team and discuss your strategic or immediate IT needs.