In early 2020, networking tool vendor SolarWinds fell victim to a sophisticated large-scale cyberattack. And according to The New York Times, the breach affected over 250 companies and government organizations.
The extensive list included:
- The Pentagon
- The Justice Department
- The Energy Department
Suspected Russian hackers were innovative, patient, targeted, and they managed to compromise SolarWinds’ widely-used software program, Orion. As a result, over 18,000 customers responded to Orion’s prompt to enable a seemingly routine software update.
The attack also affected the Cybersecurity and Infrastructure Security Agency (CISA), the branch of Homeland Security responsible for preventing such attacks. Yet, cybersecurity giant FireEye was the one who discovered the massive breach. To this day, intelligence officials are still learning new details about it. They could spend several months or years gathering the scope of the operation.
In the wake of this disaster, SolarWinds has faced backlash for lax security systems. In fact, former SolarWinds security adviser, Ian Thornton-Trump, terminated his relationship with the company. According to Thornton-Trump, the leadership at SolarWinds failed to heed his warnings about an urgent need for company-wide commitment to internal security. Other former employees and cybersecurity researchers echoed his concerns about some of SolarWinds’ high-risk practices.
Organizations are relying on third-party vendors like Solarwinds evermore because supply chain attacks like this one are becoming more frequent and more sophisticated. They aren’t prepared to deal with such cybersecurity risks. Even the U.S. government wasn’t.
But prioritizing vendor risk management (VRM) can minimize third-party supplier security issues at every phase of the vendor lifecycle. It’s why we put together this comprehensive guide. So let’s start with some basics.
Vendors include anyone who does not work at your organization but provides goods or services. Some common examples include service providers, manufacturers, and suppliers.
The terms: vendor, service provider, third party, and supplier are often used interchangeably but carry subtle differences.
IT teams usually use the terms vendors and service providers in connection with the term software. On the other hand, the term supplier often describes a party that delivers tangible goods. Additionally, the term third-party tends to encompass all of these scenarios and definitions.
Most people use the terms vendor risk management (VRM) and third-party risk management interchangeably.
All third-party vendors pose some level of potential risk that organizations should manage.
The vendor life cycle refers to all phases of dealing with third-party suppliers. Organizations need to manage the SaaS vendor life cycle efficiently from sourcing and procurement to termination or renewal.
Effective vendor management includes tailored and largely automated workflows for:
- Finding vendors
- Controlling spend
- Ensuring service delivery
- Optimizing vendor performance
- Negotiating contracts
Last but not least, vendor risk management (VRM) is an essential component of vendor management, also known as supplier management.
The cyclic nature of SaaS makes these applications more challenging to manage compared to the old days of set-it-and-forget-it grandfathered in software. Additionally, our growing dependence on SaaS vendors compounds the issues. Managing hundreds of subscriptions from multiple suppliers is virtually impossible without a vendor management system, a key component of vendor risk assessment and mitigation.
Bookmark for later: “Your Guide to SaaS Vendor Management”
As mentioned before, vendor risk management (VRM) is one of the crucial elements of vendor management. Vendor risk management refers to a company’s system for mitigating negative impacts or disruptions that third-party suppliers might cause. As companies’ reliance on SaaS grows, so does the need for more sophisticated VRM. Without it, it is not feasible to manage such dynamic tools with limited resources like spreadsheets.
Effective VRM entails a comprehensive plan for identifying, monitoring, and minimizing risks introduced by third-party vendors.
Cyberattacks are becoming more frequent and sophisticated. According to Forbes Magazine, 2020 was a record year for data lost in breaches. In addition, we saw many government, company, and individual cyber-attacks. Moreover, hackers are increasingly taking advantage of the dynamic nature of SaaS life cycles and ad hoc or non-existent vendor risk management.
Blissfully’s Annual Trends Reports have revealed that:
- Overall spend per company on SaaS products was up 50% in 2020
- 68% of organizations said they were mostly or all SaaS-driven in 2019
- 23% of companies operated solely using SaaS apps in 2019
While these companies tend to be tech-forward early adopters, trends indicate that almost all companies will become heavily SaaS-reliant over the next few years. This escalation is continuously making VRM a vital component of any business’s risk management framework.
Outsourcing allows companies to focus on their primary purpose and has many other benefits. However, enterprises cannot rely on these parties to automatically follow the same safety protocols. And this challenge is where vendor risk management comes in.
Companies need systemic automated workflows to keep track of their vendors’ data security, cyber security, information security, and other metrics. VRM allows organizations to prevent breaches that can hurt their reputation, interfere with operations, and negatively affect profits.
Third-party service providers are here to stay with good reason, but they introduce several threats. The sheer volume of potential issues is overwhelming without proper vendor risk management.
Vendors must comply with industry regulations, especially in industries like finance and healthcare. If not, fines and penalties in these industries can be steep, and critical licensing can be revoked.
New and tighter protocols (like HIPAA, GDPR, CCPA, and more) hold organizations accountable for their vendors’ practices. Also, fines, penalties, and licensing issues may result from third-party errors or negligence.
Even when enterprises have robust data security systems, breaches can occur through third-party vendors with more relaxed protocols. The SolarWinds breach is the perfect example of this. Ultimately, enterprises are mandated to mitigate risks associated with data breaches and compliance issues.
Once a data breach or non-compliance issue becomes public, an enterprise’s reputation may experience permanent damage. Unfortunately, this distrust can occur even if your organization isn’t responsible.
With a growing reliance on vendors, companies can find themselves in hot water if third parties cannot provide agreed-upon services. For that reason, your VRM program should include a business continuity plan that allows you to remain operational even in the event of vendor disruptions.
All of these threats pose possible financial risks. But effective vendor risk management is a win for everyone involved: organizations, vendors, and customers. VRM has to begin before contracts are even signed and continue throughout the vendor relationship.
Vendor risk management is about so much more than mitigating potential threats.
An effective VRM system can:
- Improve communication with vendors and among employees
- Offer financial security
- Save valuable time and resources
- Provide peace-of-mind
A VRM system means you’ll have regular, systematic, and productive communication with your service providers. Plus, having effective protocols allows everyone to focus on the task at hand knowing you’re all on the same page. Workflows are optimized, and you get the most out of your vendor relationships as a result.
Investing in a VRM program is investing in your enterprise’s financial future. In other words, the time, money, effort, and energy you invest now will prevent expensive and reputation-harming breaches in the future. The strategic investment you make now can pay dividends later on.
Putting effort and energy into new systems can feel burdensome at first. However, the time and industry you invest in now can lower the operational risk that would be far more disruptive. Additionally, automated vendor management like Blissfully streamlines your efforts. Further, it saves you from inefficient, time-consuming VRM methods like using spreadsheets.
Proper vendor risk management can bring you peace of mind because with automated systems and workflows in place, you can focus on what you do best and allow your third-party vendors to do the same. Also, customers will feel more at ease knowing you have systems in place to protect them. In other words, no news is good news… when you keep your company’s name out of the latest data breach controversies.
The benefits of VRM are immeasurable. You will never truly know the value unless you’ve had the misfortune of a breach that could have been prevented with an efficient VRM program in place.
Using a vendor risk management maturity model (VRMMM) is a wise starting point for navigating your vendor risk management process. For starters, this tool can help you assess how well your organization is currently managing third-party risk. Once you know your VRMMM, you can create a data-driven vendor risk management strategy tailored to your organization’s third-party ecosystem.
- Not well defined
- Lacks consistency
- Ad hoc execution
- Unstructured approach
- Informal policies
- Varies depending on personnel
- Activities are not yet fully operational
- Fully functional
- Standardized processes
- Compliance and oversight measures in place
- Best practices fully implemented
- Continuous improvement review cycles
- Company-wide and complete third-party vendor compliance
After identifying your enterprise’s vendor risk management maturity level, you can pinpoint the growth areas you must prioritize to mature your VRM capabilities.
- Are there automated systems in place to collect security information throughout the vendor life cycle?
- Are the VRM programs optimized and agile?
- Are you using highly customized tools that enhance insights?
- Are policies fully developed?
- Do you have the most efficient data analysis and collection processes in place?
- Are policies consistently applied and well-documented?
- Is everyone in the organization trained in their designated VRM role throughout the vendor life cycle?
- Is there a team that can focus solely on vendor risk?
- Is there a leader that can advocate for the importance of VRM to board members and other stakeholders?
- Are processes continuously improving and proactive instead of reactive?
- Do you have an automated vendor management system that streamlines risk management?
- Are processes integrated throughout the organization to include third parties?
- Are there developed third-party management governance systems in place?
- Are third-party policies applied and well-documented?
- Is third-party VRM monitored throughout the vendor lifecycle (not just during onboarding)?
Once you know your vendor risk management maturity level and where you need to focus, you can begin targeting those weak spots to mature your VRM program.
Regardless of your vendor risk management maturity level or areas for growth, some best practices are always a good idea.
1. All vendors need to follow the same criteria
There may be some variation within reason depending on the service or product they provide. Of course, everyone within the organization needs to know and follow VRM protocol as well. For example, there should be a system in place for tracking all third-party vendor relationships. Bear in mind, most breaches occur because of inconsistency rather than a lack of having systems in place.
2. Take a proactive approach
Before problems occur, implement an assessment process to rate potential cyber risks posed by each vendor. Consider the likelihood of a data breach as well as the potential impact (to the best of your ability). Next, decide on an acceptable risk level and only work with third parties that meet your predetermined security rating criteria. Finally, have remediation plans in place for potential breaches, including worst-case scenarios.
3. Follow the principle of least privileged
This practice means that employees and vendors only receive privileges as needed to complete assigned tasks. Furthermore, access should be driven by need, not by role. In other words, if a vendor needs access to information to complete a specific job, that access should be revoked once the task is complete.
4. Mitigate risk at all stages of the vendor lifecycle
Point-in-time snapshots like surveys are static and limited. Instead, use technology that provides real-time information that instantly notifies you if a vendor is out of compliance or at risk, a situation the vendor may not even be aware of.
5. Keep track of fourth-party risks that service providers introduce
You need to know your service providers’ vendors: what operations they perform for your providers and what due diligence your vendors have in place to protect your information.
6. Automate the process as much as possible
Effective vendor risk management can quickly become overwhelming, especially for large organizations. Manual methods like spreadsheet tracking are laborious and often ineffective. On the other hand, automated tools can reduce unnecessary labor for you and your vendors and get more accurate and protective results.
Screening potential vendors is a critical first step in ensuring compliance with your enterprise’s VRM plan.
Before speaking with a vendor, you need to internally assess:
- Types of data the vendor will need access to
- Whether the vendor will need to share accessed information with downstream third-parties
- The level of risk to clients, employees, and the enterprise should a breach occur
These factors will help you determine the scope of due diligence necessary when screening potential vendors. To begin with, industry-specific standard assessment questionnaires are a great starting point. However, you may find custom questionnaires work better for you as your vendor risk management matures.
The sample questionnaire below is not exhaustive. Instead, it highlights critical considerations that you can tailor to your organization and the role of specific vendors.
- How do you handle personal data and other sensitive information?
- Do you have any litigation or regulatory actions pending against you?
- Have you experienced any security incidents or data breaches?
- What are your third-party sharing practices?
- Do you have cyber insurance?
- What protocol do you have in place to handle security issues and data breaches?
Remember, assessment should not be over after the initial screening. Ongoing monitoring needs to take place throughout the vendor life cycle. It’s vital to catch compliance and risk issues in real-time. Consequently, using software to automate these extensive and critical procedures is your best bet.
Blissfully can help you keep your organization safe at every phase of the vendor life cycle.
Blissfully can help you determine if internal employees or existing vendors can meet project needs without adding the risk of a new third-party vendor.
Blissfully’s streamlined SaaS vendor evaluation process helps you avoid shadow IT that can lead to data breaches and other security issues.
Blissfully’s vendor management can streamline your security assessments and compliance reviews.
Automate vendor workflows like renewals that can slip through the cracks when using manual means like spreadsheets, resulting in lapses and security issues.
Blissfully’s vendor management tracks your vendor life cycles so you can withdraw access that terminated vendors no longer need and complete other appropriate offboarding procedures.
Learn more about how Blissfully can help you manage vendor risk. Request a demo today.
“Blissfully does what we struggled to do before — it centralizes all our GDPR, compliance, security, risk assessment, and procurement data all in one.”
~TAD WHITAKER, Circle CI Head of Security
Read the case study.