Addressing The Vendor Risk Management Dilemma
It has happened in retail, in hotels, in healthcare, and in many other verticals with many suppliers or partners.
Exactly how has vendor risk management missed the mark so often?
It has become an old story. A large company’s network is gravely breached and, after weeks of investigation, a finger is pointed at a minor vendor whose own system was breached. Savvy cybercriminals followed the trail, and soon it led directly into a large enterprise.
One thing to realize is that while these vendor risk failures happen often, it is not for lack of loud warnings. According to data compiled by the consulting firm PWC, 20% of security incidents at companies in 2010 were attributed to third parties such as vendors. The number spiked to 28% in 2012. In a 2015 cybercrime survey, PWC found that the nearly a quarter of companies do not evaluate third parties at all.
This simply should not be abided. Consider the enormous negative fallout from the 40 million credit cards stolen in the Target breach—which was attributed to a breach of one of the retailer’s HVAC contractors. The result? Upheaval in the C-suite, hits on sales and profits, a black eye with consumers, and class-action lawsuits still pending.
Target may feel like old news, but it is not alone.
Other breaches, that have not had the same media attention as Target this year have had our eye: CVS, Walmart, and host other major retailers were adversely affected by third-party vendor PNI Digital Media. In healthcare, a patient-information portal known as “No more clipboard” was targeted and has had over 4 million individual records stolen (records with social security numbers and other PII) from medical centers, clinics, and hospitals all over the Midwest.
Where Does the Risk Management Responsibility Lie?
It does no good to insist that the blame belongs anywhere other than the companies themselves. In regulated industries—financial services, for instance—the regulators have been adamant for several years that it is incumbent upon the institutions they oversee to regularly vet their vendors on security.
As far back as 2007, the National Credit Union Administration (NCUA) told credit unions: “When evaluating third party arrangements, [NCUA] examiners should ensure credit unions have addressed the following concepts in a manner commensurate with their size, complexity, and risk profile: Risk Assessment and Planning; Due Diligence; and Risk Measurement, Monitoring and Control.”
The NCUA, in various documents, has made it plain that credit unions will be held responsible for the security of their vendors. Companies in other less-regulated industries should take a page from the NCUA’s book and own the responsibility for vendor risk management.
Not Heeding the Vendor Risk Call
The “how-to” of this is fairly straightforward. The starting points, say multiple experts, are a comprehensive risk assessment and thorough penetration testing, both performed by a reputable, independent third party.
These results must be shared with all companies doing business with a vendor, and they also need regular—ideally annual—updating.
If it is that simple, how can it go so wrong so often?
“I don’t think a lot of companies follow their own processes,” says Stephen Ward, a vice president with the security firm Pinkerton.
Ward’s skepticism is underlined by comments made by the head of a small security firm whose practice is rooted in financial services. This individual (who requested anonymity to avoid embarrassment for his clients) says, “I can count on one hand the clients who have actually vetted us. It shocks me, but many do not take this seriously.” He adds that he is rarely asked to provide his own firm’s tests results, even though he has a packet at the ready.
Ward notes that often a company’s security processes are exemplary on paper, but they tend to fail in practice, especially when time is short and decisions have to be made on the fly.
By way of example, he mentions a European scam Pinkerton has been following in which legitimate-appearing trucking companies are in fact controlled by organized crime. Call one up to handle an emergency request, Ward says, and superficially everything is in order—licenses, permits, all the proper paperwork is available.
Except that it is all counterfeit.
“A few calls would have uncovered the scam,” says Ward. He adds, “Some companies are in a fast-paced environment. Some feel vetting a vendor will slow them down.”
Instead, what happened in this case is that victims lost many truckloads of goods, just because they set aside their established security procedures in the interest of saving time.
Safe on Paper; Insecure Reality
That incident, of course, is from the physical world, but Ward cautions that similar scams can and do happen in the digital world.
“Anytime you sign on a new vendor, do a quick security vetting,” he urges. “Ask to see their plans.”
Tip for SecurityScorecard Customers: Type in your vendors website URL into the platform to retrieve detailed security-risk information instantly, without intruding on your vendor’s system.
Many security breaches at big enterprises can be traced back to initial breaches at their smaller vendors. However, in most cases these breaches could have been dodged if the large customers had properly vetted the vendors.
[ISMG & SecurityScorecard Webinar] – Take Control of Security’s Biggest Blind Spot: Third Party Vendor & Partner Risk
September 28th | 11:30am EST