What is IT Vendor Risk Management (VRM)?
Think about all of your organization’s third-party vendor relationships. Of course you have physical vendors that handle mail, deliver supplies, clean your offices and provide maintenance, etc. These vendors have some access to your organization’s private information and you need to take the necessary steps to protect your information from falling into the wrong hands.
You also have a varied list of IT vendors that help you perform on a daily basis. They process email, store records, maintain credential information, provide cloud processing, handle accounts payable and receivable. The list can be and probably is extensive. Any of these IT providers has access at some level to your organization’s IT and the information stored there.
A cyberattack occurring against one of your IT vendors immediately puts your organization at risk. Attackers can exfiltrate your data and hold it for ransom. They can attack your clients. Beyond pure financial loss, a successful breach can expose your organization to GRC (governance, risk and compliance) fines and penalties, and result in a serious hit to your reputation.
Examples of IT Vendor Risks
In the first three months of 2022 alone, so far, there have been several high-profile data breaches caused by third-party IT vendors. A few of the breaches that highlight the need to pay special attention to IT providers were:
- A county public hospital district breach exposed patient information through a breach by their third-party electronic medical records (EMR) provider.
- An IT consulting company exposed customer payment and security information through a breach by their payment processing vendor.
- A state (provincial) government agency exposed names and tax file information through a breach by their payroll provider.
- An online identity and access management company exposed employee credentials through a breach by their customer service provider.
These breaches illustrate that your organization is susceptible to a security breach even if the attack originates externally to your system. And if a breach does occur, you can be just as liable for the consequences as if the breach did occur on your system.
Managing IT Vendor Risk
It is crucial for organizations to approach security as a two-pronged effort. You have to secure your own resources against attack. And you also have to reduce the chance of an attack originating from one of your vendors. Every IT third party is a potential entry point into your systems and premises. And each one is a potential security risk. CBI Insight reported that 44% of data breaches are caused by a third party. To help mitigate the potential for a breach caused by an IT third party, you need to establish a strong IT Vendor Security Risk Management program.
What Is Included In an Effective IT Vendor Security Risk Management Program?
An effective VRM program should include these steps:
- Prioritization: categorization and ranking of vendors by risk to the organization.
- Assessment: identification of the inherent risk of each relationship.
- Engagement: reporting and explanation of identified security gaps to vendor .
- Remediation: addressing of security gaps by vendor.
- Approval: evaluation and approval of vendor remediation.
- Ongoing monitoring: continuous monitoring of vendor security posture to identify potential future issues.
Every step in this process is important, but prioritization and assessment are crucial to get right as they set a baseline for everything that follows. You want to address vendors most critical to the organization’s IT first. And if you don’t do a thorough and proper IT security risk assessment, you will still be leaving your organization open to third-party risk.
How do you do an IT Vendor Security Risk Assessment?
After you have categorized and prioritized IT vendors it’s time to perform your vendor risk assessment. The best vendor risk management software to help determine your vendor’s security posture – and your attack surface – is the security questionnaire. But you need to be careful when developing your questionnaires. Questionnaires tend to be long and detailed, and often include questions that aren’t relevant for that particular vendor. A poorly-planned questionnaire will not give you the information you need and might prove frustrating for the vendor. However, a well-planned questionnaire will be easy for the vendor to complete and will give you sufficient and relevant information to vet the vendor.
How Panorays Can Help
Panorays combines automated, dynamic security questionnaires with external attack surface assessments and business context to provide organizations with a rapid, accurate view of supplier cyber risk. The platform enables easy collaboration and communication between you and your suppliers, resulting in efficient and effective risk remediation in alignment with your company’s security policies and risk appetite.