You've heard the trite expression "A chain is only as strong as its weakest link." Well, it's true, and when it comes to enterprise security, the weakest link might be outside your own organization.
Every since it came to light that the Target data breach originated through compromised credentials belonging to a third party vendor, there has been a renewed focus on vendor risk management (VRM), and especially on computer security risks. Companies want and need to know what risk is posed to their own business because of how another business operates. Many organizations have already implemented or are beginning to implement a VRM program.
A vendor risk management program is a formal way to assess the risk posed by third parties such as vendors, suppliers, partners and contract workers. The objective of such a program is to understand how a third party's way of work creates risk for your own company, and to develop compensating controls that manage your risk to an acceptable level.
Having a dependency on any type of outsider means there is more risk for your organization. That outsider might be a cloud service provider where you host applications; a payroll and benefits administrator that has access to highly sensitive information about employees; a contracted individual contributor who has an email account on your system; a parts supplier that provides feedstock for your own products; or even an HVAC company that submits invoices electronically and retrieves work orders from your maintenance scheduling application. Auditors and business regulators look at these third parties and say, "Their risk is your risk too."
There are numerous reasons to have a formal VRM program:
- A well executed VRM program will truly uncover the risks that third parties present to your business. This gives you the opportunity to either work with that vendor to eliminate or reduce the risk, or to choose an alternate vendor for that product or service. Oftentimes it's possible to implement compensating controls to reduce the risk the vendor presents. For example, if you are going to host some of your applications in the cloud, and you know that your service provider hosts websites for other clients, you can ask the service provider about its capabilities for fending off DDoS attacks aimed at any of the hosted websites. A compensating control for this type of risk would be a Corero First Line of Defense® solution that can stave off attacks aimed at any application or website hosted by that service provider.
- VRM is part of good corporate governance. A well managed company will understand what its acceptable risk level is, and this means knowing what risks a third party brings to the organization and how to reduce those risks.
- Many organizations are required by regulatory mandate to apply risk management principles to their entire working environment, and this includes third parties. Regulations like Basel II, Sarbanes-Oxley, the Gramm-Leach-Bliley Act, HIPAA and PCI mandate risk management for outside parties.
- For many companies, their brand name holds a lot of value, so it behooves a company to do everything possible to protect the brand. A serious incident stemming from a third party risk can besmirch a brand and take millions of dollars off its value. For example, suppose your company contracts with a vendor to dispose of your old PCs responsibly. You don't check what really happens to the computers once they leave your facility. Your contracted vendor takes a short cut and just dumps the computers in a landfill. Someone discovers the computers and traces them back to your company. Suddenly your company is all over the news as being irresponsible and causing great harm to the environment. It's a black mark on your company's name because of actions taken by your vendor.
If you're going to allow other companies to be a part of your business processes, you need to understand how they can harm as well as help you, and take steps to reduce the likelihood of harm.