Vendor risk is always present in the business world but can be addressed by being proactive and implementing the right strategies.
Vendor risk for your organization is an important topic to consider when you sign up a new vendor for your business needs or vice versa.
In this blog post, we'll briefly discuss a few steps organizations can take to help address any possible vendor risk they might face in 2023. You can get a full picture of which essential questions to ask your existing vendors and what your organization should consider regarding vendor risk.
In this blog you will find:
⚠️ Understanding the Risks: Why Focusing on Vendor Risk Matters
One of the most significant elements of risk that a company has (from a security perspective) is its third-party vendors, and this risk element is often outside of its control.
There are various forms of risk. When discussing security risks, an organization can be in control by using different security tools and technologies to help secure its technology environment. Despite this level of control, users can represent the weakest link in an existing cybersecurity system. If a hacker gets access to an employee’s password, that employee’s access can now become a proxy for said "hacker" to attack your organization.
Similarly, your partners or vendors (depending on their critical role in your business) could also represent a significant component of your risk.
Vendor risk is a significant issue for organizations, as the potential risks associated with vendor relationships go far beyond financial concerns. Without proper vendor risk management, organizations are exposed to various threats that could damage operations and trustworthiness in customers' eyes.
Potentially more significant damages can result when your vendor partner’s poor performance affects your organization due to interdependent services or resources.
Organizations must ensure vendor protection by performing thorough vendor risk assessments before engagement and having procedures in place for ongoing management. This process enables the organization to gain insight into vendor activities and relevant policies, mitigating vendor-related risks and ensuring compliance with data protection laws such as GDPR or HIPAA.
The Risk of Vendor Services: How a Heating, Ventilation, and Air Conditioning (HVAC) Company Impacted Target's Cybersecurity (A Vendor Risk Story) 🐱💻
This is an example of how vendor risk can impact an organization using something as innocuous as a heating, ventilation, and air conditioning (HVAC) company.
In 2013, Target, a major U.S. retailer, used an HVAC company to service the ventilation in their buildings. The problem Target encountered was that the HVAC company was compromised by hackers who stole network credentials that allowed them to get into Target’s proprietary network.
It was a surprise! How could this HVAC company servicing Target's buildings be a risk from a cybersecurity perspective? Well, it was for Target, and cost them a lot - the breach exposed 40 million debit and credit card accounts.
A fraud analyst for Gartner Inc. estimated that "Target could face losses of up to $420 million due to the breach". An expensive price tag for any organization.
✅ 4 Tips for Mitigating Organizational Vendor Risk In 2023
1. Ask the right questions about existing IT security protocols.❓
There are also internal risks that any of your current vendors may pose to your organization. These risks can be thought through in advance (from a business development perspective) when working with new prospective customers. If your organization has gone through vendor onboarding when working with new companies, those same questions can be applied to the vendors you work with.
For your organization, one key question should come to mind: “Do you have any risk with vendors that you currently partner with? What are those risks?”
Suppose your organization is trying to sell your services to another company, and they have a vendor onboarding process. In that case, you're likely to see a little more rigour in their security and other qualifying questions.
2. Run through a “what if” scenario. 🤷♂️
Consider running through a “what if” scenario regarding the most significant risks posed by critical vendors for your organization. The same strategic exercise can be applied when your organization is a critical vendor for another company.
There have been several instances of supply chain attacks where organizations are breached or have compromises not from their internal services but through vendors that provide services to them, like the Target incident mentioned above.
Analyzing the "third-party" Sunwing Incident:
The most prominent and recent example of this was the Sunwing incident in April 2022. Sunwing had its ticketing system being managed by a third-party vendor, and that vendor got hacked this caused several problems for the airline:
❌ Bad public relations: negative brand perception due to news outlets publicizing that Sunwing was hacked. It was their ticketing vendor that was compromised, but the impact still hit Sunwing’s brand in a negative way.
❌ Additional work: due to the issue with their ticketing system vendor, Sunwing was forced to conduct their ticket booking manually.
❌ Cost: this incident cost Sunwing much money (not just in the capital alone). They had to pay their team for overtime and back travellers for the issues with their bookings (and additional costs due to flight cancellations).
It is important to emphasize that Sunwing itself wasn't compromised in this situation. Still, the compromised party was a vendor that was providing the ticketing and boarding services to the airline company.
So not only can a supply chain attack have an immediate financial impact, but it can also have a trailing financial impact based on lost potential revenue from customers due to the negative news about the impacted company. This can also erode any trust between the company and its existing (and future) customers. It can take time and money to rebuild that trust as a business.
It is worth going through a “what if” thinking exercise for your organization. Better to do it now when you are calm than when a cyberattack occurs because, at that point, your brain might be in fight or flight mode (that moment) due to the severity of the situation. Suppose things get bad and your vendor is compromised. In that case, this might put your organization in pure reaction mode, where people are testing different solutions as opposed to implementing an existing cybersecurity emergency plan.
If an organization has undergone this type of strategic exercise, it can better manage a crisis in the future and reduce its related risk.
🤔 Key questions to consider when running a "what if" scenario:
- 1. What are those critical vendors providing services to your business right now?
- 2. What risks do they pose to your organization?
- 3. What are the top 3 “what if” scenarios should your organization be prepared for?
3. Evaluate what changes can be made to address any existing vendor risk. 📑
Identify normal, probing questions to help your business get a sense of where risk exists in its current relationship with its vendors and what must be done to mitigate it. Based on the answers to such questions, your leadership team can then evaluate what changes (if any) need to be made by either your organization or its vendors to mitigate those risks.
Think of this as low-hanging fruit that your organization can reach to reduce the risk profile of its vendors. It's easier to be proactive than to be surprised by a cybersecurity incident.
This can be as simple as having a backup vendor or something more rigorous such as requiring and collaborating with existing vendors to ensure they have an increased security posture.
🤔 Key questions to consider when evaluating what changes can be made:
- 1. Does your organization have a security protocol?
- 2. Does your organization have contingencies in place related to existing vendor risk?
- 3. What type of security initiatives does your organization have in place?
- 4. How does your organization secure its data?
- 5. What is your organization’s disaster recovery plan?
4. Create a basic contingency plan for your business-critical vendors 📅
It is vital to have a basic contingency plan for those vendors who are essential for the daily operations of your business.
A basic contingency plan should provide the security and protection needed to reduce potential risks associated with your organization’s current vendors. There might be templates available online, but the contingency plan should be tailored to your organization’s situation, your existing resources and what resources should be acquired (ahead of a supply chain attack).
🤔 Key questions to consider when creating a basic contingency plan:
1. What can be done proactively and intentionally to ensure your organization is as secure as possible?
2. What steps have your business-critical vendors taken to ensure they are well-defended against supply chain attacks?
3. How do you audit your vendors from an IT security perspective?
4. What needs to be updated about your existing vendor selection process?
5. Have your vendors updated their contingency plans regarding a cyberattack?
As we move into 2023, it’s essential to be aware of the vendor risks that could impact your organization and have a plan to mitigate them. By following the tips outlined in this blog post, you can rest assured that you are taking the necessary steps to protect your business from potential vendor-related threats.
Need help putting together an IT security protocol that works for your organization? Chat with us today and see how our experts can help.