J.S. Held Strengthens Forensic Accounting and Financial Investigations Expertise and Expands Suite of Services in Canada with Acquisition of ADS Forensics
Read MoreWhen we think of Vendor Risk Management (VRM), there’s usually a policy or a procedure, possibly even a process to follow, and for good reason. The consistent approach that effective VRM gives you should lead to lower financial and strategic risks, increased admin efficiencies, reduced costs, and quicker onboarding of suppliers.
A painful lesson that this year has taught businesses is that they are only as resilient as the vendors they rely on. A promise is only as good as the ability to back it up. That promise might be to deliver a product on time, or it might be to protect data.
Such a vendor could be Amazon, wherein a company uses its cloud platforms to store and process data. Or it could be the designer who works on your rebranding project every few years but who has VPN access to your file server so they can store digital assets.
VRM does not just mean a one-off process for choosing a supplier, it is a continual review process. Requirements change, suppliers change their own internal processes, and regulatory frameworks change. Security risks change, too.
Here are some reasons why VRM should be a fundamental part of a business's cybersecurity strategy.
Every supplier has a different relationship with each company with whom they work, and each presents a different set of risks. Not every supplier needs to meet ISO27001 standards. By creating a template that includes a risk/impact assessment it can be ensured that anyone in the organization choosing a vendor conforms to a set of standards appropriate to the relationship.
Many relationships with third parties are a two-way street; access to services and infrastructure goes both ways using APIs, logins, and even physical access. It is important to know whether a company or organization has a list of all of the third parties with whom they share data. Authorization and access should be reviewed regularly to reduce the possibility and impact of a data breach.
Any company’s data could be stolen, held for ransom, or used against the company as part of a business email compromise scam. Just as companies use third parties, those trusted third parties probably do as well. Every requirement placed on a vendor needs to be at least matched by their own third parties.
Yes, compliance, because the discussion of risk warrants discussing compliance. Vendors can change where and how they process client companies' data. This can lead to issues if, for example, a company processes data on EU citizens and its CRM decides to process or back up the data in another region. It’s just one more matter to stay abreast of.
A vendor choice made more than a few months ago might not be suitable today. The simple reason is that data that would normally have been processed by people sitting in their secure, certified office environments might now be accessed by people sitting in their bedrooms relying on their own home network security. Indeed, their own suppliers could have an impact on systems, should appropriate oversight and resiliency not be baked into the remote working environment.
Like every other aspect of cybersecurity, VRM isn’t a tick-box exercise, it’s a continuous process. Done well, it brings peace of mind. Done poorly, or not at all, and a company’s financial and legal responsibilities as well as its reputation may find itself in a much riskier environment than expected.
Ask the right experts how to implement VRM effectively in your business. Taking steps now can prevent issues in the future and potentially help mitigate any existing problems before they worsen.
We would like to thank Kevin Gorsline for providing insight and expertise that greatly assisted this research.
Kevin Gorsline is a Managing Director in J.S. Held's Global Investigations Practice who joined following J.S. Held's acquisition of TBG Security. For several years, Kevin served as the Chief Operating Officer and head of the Risk and Compliance practice at TBG Security, where he was responsible for providing the leadership, management, and vision necessary to ensure that the company had the proper operational controls, administrative and reporting procedures, and people systems in place to effectively grow the organization and to ensure financial strength and operating efficiency. His experience and leadership throughout his career have been focused on developing and delivering information security services and solutions, providing outstanding client service, and driving profitable revenue growth. Kevin brings established proficiency as an IT leader with extensive experience in risk and compliance services, applications development, and implementation projects both in the United States and abroad.
Kevin can be reached at [email protected] or +1 843 890 8596.
In Part II of addressing cyber claims challenges, we identify gaps in coverage and quick fixes for a smoother claims process....
A Virtual Chief Information Security Officer (vCISO) can be a cost-effective solution to AI cyberattacks....
To safeguard our digital lives, both the "inside out" security approach and the “outside in” prevention approach are needed....