IT vendor risk management is critical to your business

It long has been understood that IT risk is business risk. The last several years have highlighted the importance of risk management in business operations.

If your IT staff is falling behind on patching systems, isn't closely monitoring end of life for hardware or fails at implementing a plethora of security controls then that risk eventually will become a problem for the C-suite.

IT vendors and suppliers can bring a special kind of risk to your organization and vendor risk management takes the concept of risk management one step further.

The IT risk of your third-party vendors quickly can become an organizational problem. We don't have to look back very far to find recent glaring examples of this issue.

The Microsoft Exchange Server vulnerabilities, SolarWinds, Kaseya and recently your vendors may have been impacted by the Log4j vulnerability around Christmastime.

This isn't a new concept, but it’s recently getting more attention. Remember the Target breach nine years ago?

Although the root cause arguably was poor network segmentation, the reason Target was hacked was due to an HVAC company.

The foundational concept is that although we can outsource the work for a process, we never can truly outsource the accountability and impact for a process. It's human nature to conflate accountability and blame.

When you are assessing risk for your organization, please resist the urge to say, "If we get breached because of a vendor, it wouldn't be our fault. We don't need to worry about it."

Will your customers see it that way after their personal information is posted on the dark web?

Vendors will bring risks in this increasingly interconnected world. There are several things we can do to limit the likelihood and impact of a horrible event.

First, we can follow a due diligence process when onboarding new vendors and during contract renewal.

Categorize your vendors based on how much you rely on them for a critical business process and if they process, store or transmit any of your sensitive data.

If those vendors exceed a threshold of risk you can follow additional steps such as sending them a vendor questionnaire to request evidence of how they protect your interests.

Someone on your team can review their answers to determine if their claims make sense and meet your standards.

Your organization has likely been on the receiving end of these vendor risk questionnaires. If you buy cyber security insurance, you have definitely had to fill out one of these questionnaires.

The questions are fairly standard and something you should have been thinking about already. Do you have MFA? Do you have off-site backups?

Do you have modern endpoint protection? Do you have alerting and monitoring for anomalous events?

They're trying to gauge if you have any type of security program. These are the types of questions you should be asking your high-risk vendors because their problems can quickly become your problems.

Second, there are some scanning tools and services that you can use to take a peek at their externally facing presence. Shodan and BitSight are two that come to mind.

Although this external view doesn't paint the whole picture, it can grant you additional insight into the health of another organization's security program.

The third initiative to highlight is that if you use a vendor and their legacy software won't allow you to patch critical vulnerabilities. It might be time to put pressure on that vendor to fix their problems or to start looking for another vendor that can.

Brandon Blankenship is a cybersecurity consultant at ProCircular and a board member of SecMidwest, a Cedar Rapids-based not-for-profit focused on cybersecurity education. Visit SecMidwest.org for more information on attending the organization’s free monthly meetings.