Since the hugely-publicized Target breach of 2013, the importance of understanding the cybersecurity environment of your business’ third-party vendors has grown. This breach served, in part, as a catalyst for new requirements and best practices. For example, in 2015, the Federal Financial Institutions Examination Council (FFIEC) updated their Business Continuity Booklet, which is one in the series of booklets that comprise the larger Information Technology (IT) Examination Handbook, to include Appendix J: Strengthening the Resilience of Outsourced Technology Services. The new recommendations stated that continuity planning isn’t limited to just your organization, but extends to all outsourced and supplier relationships as well.
The uber-attack on Target started because one of their minor vendors, a HVAC contractor, was compromised. The cyber-thieves obtained a list of Target’s suppliers through a simple Google search, and then perpetrated an email phishing attack. It’s unknown how many suppliers were targeted, but in this case it only took one. An employee at the HVAC contractor clicked the link, and the cyber-thieves gained access to their network. When the employee logged onto the Target network to control their HVAC systems, the criminals found their way through that channel to gain access to the Target network. Once in, they patiently navigated through, and over a period of time, figured out how to compromise the Point of Sale (POS) terminals. The rest is history.
The Target breach teaches us a few important lessons. First of all, low priority doesn’t necessarily mean low risk. Second, cyber-thieves can be very creative. Access to Target’s POS terminals wasn’t easy. Target’s stored data was encrypted. However, the criminals knew that in order for the data to be processed, it had to be decrypted. So, they developed a way to grab the data while it was decrypted in memory.
Perhaps the biggest lesson we can learn from Target though, is that any vendor who has access to your customer data or who has access to your internal network is a potential risk. That’s why it’s important that you understand how these vendors manage their own internal control environment and their access to yours. Developing a Vendor Management Program can help you ensure that they are following acceptable standards and best practices, so you can mitigate your risk, and protect your data. Remember, you can outsource the function, but never the responsibility.
What’s in a Vendor Management Program?
If you’re starting from scratch, it’s easier to build a program knowing who your vendors are. This way you can build your policies and standards with some forethought to how they will apply because you’re already working with them, so you understand more about what the potential issues will be.
A Vendor Management Program provides you with a means to:
- Identify and rank your vendors.
- Determine level of due diligence research required, and how to perform it.
- Document everything.
- Report your findings.
Let’s take a closer look at each step.
#1. Creating and ranking your vendor list.
First you need to create a list of all of your vendors. Get some tips for building a vendor list here. It’s important to identify all vendors that have access to customer and/or sensitive data, as well as those who have access to your network. For those who have access to customer and/or sensitive data, you need to know what kind of environment your data will be in and what could happen if cybercriminals are able to access the customer information under your vendor’s control. With anyone who has access to your network, regardless of whether they are major (i.e., a vendor who supports your internal IT system) or minor (i.e., an HVAC contractor), you need to understand what controls they have in place.
Next you want to rank your vendors according to the risk associated with the relationship. This is an important step because it will determine a couple things. First, how often you need to review the vendor, and second, how deep your due diligence research needs to go. Not all vendors are created equal when it comes to risk. You want to be able to distinguish those vendors who are critical to your operation from those whose loss of services would not be disruptive at all. Your policy should contain several risk classifications, depending on regulatory requirements and best practices.
#2. Performing Due Diligence.
From our perspective at Sage, your due diligence – the research you do on a vendor – is all about cybersecurity. You’re discovering what you need to know to mitigate the risks associated with outsourcing services. You use this process to determine the cybersecurity resiliency of your vendors, including controls in place, business continuity plans, incident response programs, vulnerability and breach notification standards, etc. Part of your due diligence process also includes collecting documentation and evidence from vendors, and developing contract language that requires the behaviors and controls you deem necessary.
#3. Document, Document, Document!
All the hard work you’ve done needs to be documented. Create a spreadsheet or database to track all of your vendors. Create a checklist that you’ll use for each review of a critical, high, medium, and low risk vendor. And finally maintain an organized library of all the documents provided by your vendors.
Who will see your good work will vary depending on your organization, but someone will need to review and approve vendors based on the information you’ve assembled. You should have a mechanism to report serious issues to senior management once problems are known. You should also be prepared to demonstrate the efficiency of your Vendor Management Program to auditors. We also suggest that you submit a list of critical and high risk vendors to Senior Leadership at least annually.
In closing, it’s important to note that this process is not a one and done exercise. You need to know if the value delivered by the vendor is consistent with the agreements in place. So, vendor management includes not just due diligence at the front end of a relationship, but ongoing monitoring of the relationship, the contract agreement, and making sure everything is being done according to those agreements.
Need assistance with assessing the cybersecurity of your service providers?
Sage can help! As external dependencies continue to grow, setting up and maintaining an effective cybersecurity review program can be a daunting task. We can assist with the implementation of a program that makes sense for your organization’s business needs and is tailored to the unique conditions that are the byproduct of every third-party business relationship.