WHAT SHOULD BE IN YOUR VENDOR MANAGEMENT CYBERSECURITY POLICY?

Third-party vendor management policy is perhaps the most underrated component of a mature cybersecurity strategy. Last year, Becker’s Hospital IT reported startling statistics:

“Although data breaches are rare, almost half – 44 percent – are caused by third-party vendors, consistent with an esentire survey. Of the info breaches that happened from a vendor, only 15 percent of firms affected reported that the seller informed them when a breach happened.”

More recent reports show that nearly 60% of security breaches occur through third-party vendors. As smaller analytics and IT support businesses grow more popular, the number of attack vectors increase.

Many small and medium-sized businesses think that they're immune from cyber attacks thanks to their size. But the truth is that the majority hackers don’t usually attack large organizations head-on. It makes more sense to infiltrate these corporations indirectly through the lax cybersecurity measures of smaller vendors.

If your company is like most businesses today, you’ve subcontracted much of your work to 3rd party vendors. It’s critical that you know which vendors have access to what data and whether those vendors maintain reliable cybersecurity policies and procedures.

What is a Third-Party Vendor Management Policy?

A vendor management policy may be a set of internal standards that dictate how a corporation will protect itself from cyber-attacks originating through third party vendor networks. This formal policy typically includes thorough documentation and an idea to implement controls across the organization.

Policy Documentation

The foundation of a sound vendor management policy is policy documentation. This third-party vendor management handbook establishes every way during which decision-makers shall select, manage, and assess outsourced solutions.

No vendor management policy should be completed without intensive, direct input from company owners (or board members) and the cybersecurity team. Shareholders often enlist the assistance of experienced technical writers to draft company policy into a working document.

Employee Education

After composing a third-party vendor management handbook, managers should oversee employee training. While most employees may not be held responsible for managing third-party vendor relationships, they all have the ability to spot cybersecurity risk.

Your vendor management policy should give every employee the tools they have to identify and report cyber risks when and if they see them. Additionally, any discussion on cybersecurity is an opportunity to re-educate employees on cybersecurity preventative habits, such as being careful to always log out of work computers and avoiding emails from unknown senders.

Policy Compliance

Your third-party vendor management policy should establish compliance standards for anyone liable for shopping or managing third-party vendor relationships. You will also want to create controls that rectify holes in security between your organization and the vendors to whom you subcontract projects.

These third-party vendor compliance standards make sure that you recognize where your critical data goes, the way to select vendors that meet internal compliance standards, and what to try to do should a vendor fail to meet those standards.

Key Elements to a Third-Party Vendor Management Policy

Your vendor risk management policy should include all the necessary criteria and controls to ensure that you’re not opening your company to attack vectors posed by vendors. Within your vendor management policies and procedures, you should outline:

• How you select your third-party vendors
• When and how you perform vendor risk assessments
• Necessary legal clauses to include in contracts with third-party vendors
• Cybersecurity risk reporting measures
• How your team will monitor vendor risk

Picking Your ThirdParty Vendors

As purchasing and project managers engage sales agents, cybersecurity should be a critical part of the conversation. The third parties you partner with should be ready to demonstrate how they properly manage their own cybersecurity risk.

It may be appropriate to request a replica of their cybersecurity policy or perform risk assessments thereon vendor before agreeing to try to do business. Because you'll be held responsible for your customers’ lost or stolen data – no matter whether a hacker breaches your or a vendor’s system – you ought to be as conscientious about a third-party’s security as if it were your own. If you have serious doubts about a vendor’s cybersecurity policies and procedures, you should move on to other vendors.

Performing Risk Assessments

Depending upon the scope of your business, you may not have a lot of power to wield with regards to your vendor’s security standards. However, there are many things that you can do to assess potential risks.

The first step when assessing third-party vendor risks is to prioritize which vendors have the foremost access to your network and hardware. Those vendors with the foremost access to company data pose the best risk.

After identifying those vendors with the most network access, you should discuss security policy with your vendors. Some organizations send questionnaires while others make in-person visits. The goal is to look at how seriously those vendors take cybersecurity.

You can also revisit service level agreements with those vendors and note anywhere they mention cybersecurity controls. Whether performing these assessments in-house or with the assistance of a virtual security team, attempt to note any instance during which a vendor appears to be lax in upholding security policies.

Third-Party Vendor Contracts

When lining up new vendors or renegotiating contracts, it’s appropriate to include verbiage outlining cybersecurity expectations on behalf of your organization. The more you can incorporate your vendor management policy into third-party agreements, the better.

That said, you can’t bully your vendors into compliance. And it isn’t reasonable to expect that your third-party contractors will allow you to poke at their every vulnerability. By gauging the seriousness with which your vendors take cybersecurity, you will gain the assurance you need to protect your network from back-door attacks.

Reporting on Cybersecurity Risk Management

Some organizations – including third-party vendors – only examine their cybersecurity policies every few years. Since an excellent deal can happen technologically therein time, it makes more sense to reassess policies and controls more often.

Your cybersecurity team should provide regular reports (monthly, quarterly, etc.) that outline which vendor relationships make your network most vulnerable to cyber attacks. These reports may additionally include answers from vendor questionnaires on their cybersecurity policies and procedures.

Compliance Monitoring

Your vendor management policy should outline ways to enforce compliance for your purchasing and project managers. Since cyber-attacks could happen at any time and infiltrate your network through your third-party relationships, everyone involved in vendor relations should understand the risk and take steps (as outlined above) to guard the business against lost/stolen data.

Because most organizations don’t have the payroll for both an IT department and a cybersecurity department, it often is sensible to solicit help from a cybersecurity provider. Agencies providing third-party risk management services can do the work related to third-party risk assessments and compliance monitoring.

Vendor Management Policy Best Practices

To build a successful vendor risk management policy, you’re getting to need a couple of things. Many organizations, they’ve focused on building out their capabilities without consideration for how scaling a business presents a greater risk for the cyber attack.

As you and your superiors begin producing a vendor management policy, here may be a list of policy best practices.

Create data maps.

Data maps clearly outline what information goes where. Additionally, it shows which vendors have access to the data. Be sure to keep in mind vendors that have access to logins, the premises, or network hardware.

The idea with data maps is not to penalize or decrease business with certain vendors. Rather, the objective of a data map is to be aware of all the possible attack vectors to your network.

Be mindful of consumer data privacy law.

If you serve consumers in Canada, Europe, or California, then you are subject to strict consumer data privacy laws. When seeking compliance from agencies like PIPEDA, GDPR, and CCPA, you need to also consider your vendors.

For example, under the CCPA, California residents are allowed to submit a deletion request to your organization. That means that any personally identifiable information (PII) you have on that consumer must be deleted. The same goes for any vendor or affiliate with whom you’ve shared information.

Part of your vendor management policy should include consumer rights under international consumer data privacy law. You could be prosecuted for the cybersecurity negligence of one of your vendors in the event of lost or stolen data.

Question your vendors about their cybersecurity policies and procedures.

You don’t want to be rude and intrusive, but you are doing have a right to understand how seriously your vendors take their cybersecurity. Some businesses require their vendors to submit answers to surveys. These survey answers can help with cybersecurity audits and risk assessments.

But some vendors won't take impersonal surveys seriously. If it’s just a “check within the box” for them, then they'll be conveying false information about the safety of their network.

Instead, you'll make it a habit to ask pointed inquiries to key members of your third-party vendor’s staff. Depending upon your professional relationship, it's going to even be appropriate to go to their campus and observe their security measures face to face.

You don’t want to be rude and intrusive, but you are doing have a right to understand how seriously your vendors take their cybersecurity. Some businesses require their vendors to submit answers to surveys. These survey answers can help with cybersecurity audits and risk assessments.

But some vendors won't take impersonal surveys seriously. If it’s just a “check within the box” for them, then they'll be conveying false information about the safety of their network.

Discuss impact in monetary terms.

Sometimes, the battle for vendor management policy occurs within your organization. Cybersecurity spending doesn’t sound as appealing to executives as does enhancing sales-driven initiatives.

But the fact remains that one security breach could cost the company hundreds of thousands of dollars. Some data breaches are so bad that the business must close its doors or face ongoing civil lawsuits.

When you discuss vendor risk management policy with your superiors, it’s critical that you state the risks in dollars and cents terms. Using the FAIR model risk assessment, you'll do that more effectively and motivate decision-makers to take a position in third-party risk management.

Consider outsourcing your third-party risk management tasks.

If your business may be a small or medium-size business, it’s not financially viable to take a position in a cybersecurity team. But thanks to virtual, outsourced cybersecurity companies, even shoe-string budget organizations enjoy the benefits of vCISOs and cybersecurity staff augmentation.

More specifically, third-party risk management services can help you create and maintain a reliable vendor management policy. Not only do these agencies do cybersecurity full-time, but they further understand the character of cybersecurity in third-party relationships since they also operate as third-party vendors.

These outsourced solutions are more cost-effective and agile. Additionally, they don’t suffer from the kind of tunnel vision that’s typical of cybersecurity managers and staff on the company payroll.

Pay extra attention to unpatched software and phishing.

The two commonest ways in which a hacker infiltrates a network are thru unpatched software and phishing attempts. Your third-party vendors should be aware of these dominating threats and demonstrate clear controls to address them.

Many cybersecurity threats would be non-existent if companies diligently patched software vulnerabilities. Sometimes, it’s as easy as maintaining software updates. Other times, the seller may have to possess round-the-clock system monitoring.

When it comes to phishing attempts, the most effective way to resist these threats is by training employees. Untrained staff is more likely to click on the wrong link and invite malware onto the network holding your or your customers’ sensitive information.

Hold your organization to the same standard that it holds for third-party vendors.

It’s ironic that some companies become so consumed with third-party vendor management policies that they neglect their own network. If you expect your vendors to maintain reliable security policies and procedures, then so should you.

Sometimes, decision-makers uncover vulnerabilities closer to home while within the process of developing vendor risk management policy. No matter how vulnerabilities present themselves, any discussion on cybersecurity is an opportunity to improve security wherever possible.

In Conclusion

A strong vendor management policy could make the difference between smooth sailing and an epic security breach. It’s important to remember that more than half of hackers today try to infiltrate networks indirectly through third-party vendors. You should only partner with those vendors that take cybersecurity as seriously as you do.