For many organizations, third-parties or suppliers can bring a level of risk that is outside of direct control.
Unfortunately, many organizations still struggle with identify what level of risk and how to address it with each vendor. As a result, many organizations treat them all the same, which usually entails sending a questionnaire, getting the responses back and considering the job done.
In this video, Mihir Mistry, Senior Security Manager for GRC covers the high level steps that need to be taken to mitigate risk from your vendors including:
- Establishing a list of vendors
- Categorization according to business importance
- Defining what they have access to and how they access it
- Establishing the level of control for each vendor based on risk
Cybersecurity management is becoming big. So enterprises are really focusing on that. They want to focus on the risks that they can control. The people that you hire, they go through your policy and all that, so that’s a risk you can control. Vendor management or third-parties or suppliers, they bring in a risk that’s outside your control. So now the onus goes on the corporations to manage them. How you’re going to rank your vendors. What tiers do they follow? What type of controls do you apply to each tier? You have your high risk vendors, meaning if they go down, then that is a direct impact on your business. You have your lowest vendors, if they go down, then you have the capacity to stay down for 48 to 72 hours. So helping organizations help identify that, what we see in the market is they don’t know how to identify that. They have a bunch of vendors, and they all treat them the same way, which is send them a questionnaire, get the response back and the job’s done. So effectively, how to manage them, they need to go, they need to break them down into different tiers, see what is the business risk that each vendor brings, and then apply controls accordingly.
Being global in cybersecurity, being globally applied not just regionally focused, one of the complexities that’s being added is, hey, I have a vendor in China. How should I treat them differently from a vendor in the U.S. where I have the capacity to maybe go on site and see what their operation is. But I may not always have the capacity to go to China once a year and do a walk through. So that’s adding a big complexity to that whole framework as well.
You need to start small. You need to take baby steps. You need to start with a list of your vendors. You need to start almost categorizing them, saying what’s the business relationship you have with the vendors? Then go into a data conversation. What type of information do they have access to? And then, how do they access information? Some vendors may have their own working space that’s completely separated. Or some vendors may actually be remoting into your network on a daily basis. So again, ask those basic questions. That will definitely help you identify what value the vendor brings, and from a cybersecurity point of view, how much control you want to put on this vendor.