Sage Advice - Cybersecurity Blog

Managing Vendor Cybersecurity Risk: Lessons from the Mega Breach that Started it All

Even more than five years later, the Target breach is still one of the top 10 data breaches of the 21st century. It was also a watershed moment for cybersecurity. Not only did it shine a spotlight on payment card security, it also brought to light the idea that third-party vendors are a potential cybersecurity risk that organizations need to consider.

Read More

Topics: Vendor Management, Risk Management

Why Managing Third-Party Cybersecurity Risk Matters

It has become the norm for businesses today to rely on a multitude of third-party service providers and other vendors to support core business functions. It’s also pretty common for these third-party entities to have access to a company’s data and its internal systems. This interconnectivity presents an inherent risk that must be managed. After all, you can outsource the function, but never the responsibility.

Read More

Topics: Vendor Management, Risk Management

Seven Steps to a Successful Vendor Risk Management Program

If you’re like most businesses, you have a variety of third-parties that you rely on to support your core business functions. And in many cases, they have the ability to connect to your network. By providing them remote access, you are effectively increasing your potential attack surface for cybercriminals to exploit. So what happens if their systems aren’t secure? They could inadvertently open up a door to your network and allow a bad guy to get in.

Read More

Topics: Vendor Management

Assessing Vendor Cyber Readiness: What to Look for in a SOC Report

Even when contracting with a third-party service provider or other vendor, protecting your data is always your responsibility. Establishing a vendor management program allows you to have proper oversight of these vendors, and is an essential element of your organization’s cyber resilience strategy. You need to understand how your critical and high-risk vendors manage their own internal control environment and/or their connection to yours, so you can ensure they will meet or exceed your internal policy and standards requirements.

Read More

Topics: Vendor Management

Managing Vendor Cybersecurity Risk: What to Do Before You Sign

In today’s business world, it’s pretty common to rely on third-parties to perform or support critical operations.  However, this reliance opens your organization up to cyber risk, especially if you work with vendors who have access to your customer and/or sensitive data or access to your internal network.  This access effectively expands your cyber-attack surface.  That’s why having a vendor management program should be a critical part of your operations.  You have sole responsibility for protecting your data – you can’t outsource that – so you need to understand how your vendors manage their own internal control environment and their connection to yours, so you can ensure it meets or exceeds your internal policy and standards requirements.

Read More

Topics: Vendor Management

Creating a Vendor Management Program to Mitigate Cybersecurity Risk

Since the hugely-publicized Target breach of 2013, the importance of understanding the cybersecurity environment of your business’ third-party vendors has grown.  This breach served, in part, as a catalyst for new requirements and best practices.  For example, in 2015, the Federal Financial Institutions Examination Council (FFIEC) updated their Business Continuity Booklet, which is one in the series of booklets that comprise the larger Information Technology (IT) Examination Handbook, to include Appendix J: Strengthening the Resilience of Outsourced Technology Services.  The new recommendations stated that continuity planning isn’t limited to just your organization, but extends to all outsourced and supplier relationships as well.   

Read More

Topics: Vendor Management

Vendor Management Best Practice for Non-Regulated Industries

Many of the recent cyber attacks in the news have something in common. A third-party vendor or affiliate is involved. Proper oversight of these third parties is an essential element of your institution’s cyber resilience strategy.  You can outsource the function, but never the responsibility.

Read More

Topics: Vendor Management

Vendor Management - Tips for Creating a Vendor List

You already know who your critical vendors are, right? But do you know all your vendors? If a regulator were to walk into your office and ask about Vendor Z, are you confident enough in your documentation that you’ll be able to explain Vendor Z to them?

Even though you have a handle on your critical vendors, it’s often the “minor” vendors that get us in trouble. If the regulators hear you say, “I’m sorry, I don’t know who Vendor Z is, but I’ll find out for you,” it makes them wonder if you really have a firm grasp on your Vendor Management program.

Read More

Topics: Compliance, Vendor Management