Avoid the pitfalls of vendor complexity
How organisations can avoid the pitfalls of vendor complexity
As organisations grow and scale, they often bring on a number of new vendors, third-parties, and partners that have a range of technical integrations and non-technical interdependencies. Third-party vendors help organisations move faster and bypass the need for in-house experts and departments. A study last year found that the organisations using more than 1,000 third-party vendors more than doubled from 14% to 31%.
However, amassing a high number of third-parties can also result in a complicated vendor ecosystem that’s difficult to manage and properly utilise. This can overburden teams and departments, and increase third-party risk, which is a growing concern for many organisations. Globally, 84% of organisations are worried about supply chain and other third-party risks and as we saw from recent zero-day vulnerabilities such as log4J, third-party risks can lead to security compromises.
organisations need to have a proper vendor management system and process in place in order to mitigate third-party risk.
The challenge of vendor complexity
Bringing on new vendors often requires multiple stakeholders. In short:
- Finance needs to review and approve budgets
- Legal needs to account for potential risk, data protection and security, and proper contracting
- Information security needs to vet cyber risk
- Engineering needs to ensure implementation and integration are done without disrupting environments or slowing down dev work.
- And additional departments need to be brought in depending on how the vendor will interact with your company. For example, on-premise security will require keycards while an outsourced engineering team will need the right access and permissions to your environments.
Even under ideal scenarios, this process can take up to six months for large organisations. While agile companies have the benefit of moving much faster, if there’s no formal system in place and every vendor procurement process is done ad-hoc, it can result in an inefficient system that will slow down your organisation and the various departments above, ultimately costing a company in productivity. The same lengthy vendor vetting, onboarding, and implementation process applies to any cybersecurity vendors which means, without a streamlined process, an organisation stays in a vulnerable and exposed state for a longer time.
To offset this lengthy process, some departments may shortcut essential aspects of the vendor vetting, onboarding, and implementing process. One of the first to go? Security. Security due diligence is often skipped over or deprioritised, putting you in a tough position. You want to make sure that the organisation is secure and is managing risk appropriately but you may face a lot of pushback if it seems like it will slow things down too much.
When considering the vast number of vendors an organisation may work with, it can result in an elevated risk for the organisation. And this risk can be quite costly and severe.
How too many vendors can expose you to risk
If an organisation chooses to skip proper third-party party risk assessment and due diligence, it can result in a shaky vendor ecosystem that’s not only potentially overwhelming your organisation, but also exposing you to risk. Here’s how.
The vendor is risky or non-compliant
If you don’t have the right vendor management system or process in place, your organisation might end up working with an outright risky vendor without even knowing it. Your department might not be alerted to a new vendor that the marketing department decided to use months ago. If it turns out the vendor doesn’t have the right security practices or is non-compliant, that risk will pass to you since your organisation is responsible for ensuring secure handling of any information and data via a third-party. It can also result in a heightened risk and exposure can also lead to a cyber security incident such as a data breach, or a ransomware infection that eventually reaches your environment.
Given the recent focus on third-party risk by standards such as NIST, third party risk management has become a key component for regulatory and compliance priorities and many governing bodies are finding culpability in first party companies for third-party errors. Morgan Stanley was fined $35M by the SEC for failing to monitor a third-party vendor they hired to properly dispose and destroy hard drives containing PII of millions of people.
Implementation and integration is insecure
If organisations prioritise speed over security, integration between vendors may be done in a risky way. For example, a third-party communication platform (like Slack) might not have MFA/2FA in place, which can expose them to account takeover attacks. Or a cloud-service provider might be misconfigured, allowing unauthorized users to access data with minimal effort. Misconfigured S3 buckets are responsible for dozens of data breaches simply because they weren’t set up correctly.
Too many vendors, too little time
Lastly, having too many vendors results in an overburdened organisation and department. Even if you have the best intentions to vet and reduce your third-party risk, not having a streamlined TPRM system with tools and technology in place, the complexity and resources required is just too much.
With so many vendors, you may find yourself limiting your TPRM and selecting those you believe to be "most critical" to focus your attention. There are two major pitfalls with this approach:
- You’re relying on an accurate selection of these vendors. This may be wishful thinking as you’ll need to have a consistent, up-to-date, and comprehensive view of all the vendors in your organisation.
- You’re missing medium-critical vendors with a high risk of compromise. The above method may miss vendors you’ve classified as non-critical even though they have a high likelihood of suffering a cyber incident. This is a significant risk factor you shouldn’t ignore.
Ultimately, this process can result in a problem of unknown and missed risk that will snowball with time and may become unmanageable until the worst occurs - a data breach, an exposure, or hefty regulatory fines
TPRM is an essential aspect of third-party management and, when done properly, will actually result in a more efficient and productive vendor management system.
Third-party vulnerabilities can expose your organisation
Malicious hackers are very aware that major third-party suppliers and vendors, if exposed, can give them access to hundreds or thousands of companies. If a third party fails to update a key application or device, has poor authentication controls which leads to an impersonation or account takeover attack, or doesn’t have the right network security in place to prevent an attacker from accessing critical files, that exposure can then lead directly to you.
Without any third-party risk management system in place, you’re essentially just crossing your fingers and hoping that the hundreds of vendors you work with are maintaining top cybersecurity hygiene. This is why cyberattacks against companies like SolarWinds can be so dangerous. If you’re not maintaining the proper risk management, you can suddenly turn into an easy target if a major third-party suffers a big attack.
This isn’t a hypothetical scenario, either. In the last 12 months, 54% of organisations suffered a breach via their third-parties.
Effective TPRM is required for robust cyber resilience
Organisations need to invest in third-party risk management via key controls, processes, policies and technologies. While it may seem daunting and overwhelming, an organisation can still properly address their third-party risk without a large department and headcount. Here are some key steps you can take.
Engage with other departments: Making your security department visible, accessible, and something other departments want to engage with can help reduce friction and help them get on board with your security policies and processes. Give them useful cybersecurity tips and resources that can help them outside of work and make sure you’re communicating effectively so they see your department as a helpful resource rather than one that will slow things down.
Prioritise visibility: It’s nearly impossible to manage the risk of something you can’t see. Shadow IT is a major problem, especially with the shift to remote work, and third-parties you’re not aware you’re working with can be especially risky. Starting with processes that create transparency and communication when new third-parties are brought on can help ensure you’re accounting for new vendors. You may also want to invest in environment detection and monitoring tools that take stock of your environment to help improve your overall visibility.
Work with your third parties to improve your risk mitigation: You can work with your legal team to ensure that contracts between you and a third-party vendor have clauses in place that require them to communicate any potential risks, vulnerabilities, and data breaches within a reasonable time frame. Faster communication can help you act and react faster, helping prevent even worse consequences.
However, it’s also important to build good relationships with your vendors and create communication channels that will help them provide more accurate risk assessments, improve their risk posture as you continue working with them, and quickly (and honestly) report any incident in case it happens. You don’t want your first meeting with a third party to be one where something goes wrong. Relationships matter.
Have a way to understand their cybersecurity: Having a due diligence process and deploying helpful tools that helps you understand your current and future third parties’ risk posture is an easy way to spot risky vendors and reduce unnecessary risk. It will also help you find ways to collaborate and improve your vendors’ risk posture, work on risk mitigation, and help you make more informed decisions about your own security controls.
How Risk Ledger can help
Companies across the world are using Risk Ledger to consolidate their vendors into one easy-to-use platform, get a real-time snapshot of the security of their entire supply chain and easily spot potential vulnerabilities. Interested in learning more? Use the form below to speak to a member of our team.