Insights

Making Vendor Risk Management Part of Your Security Strategy

J.S. Held Strengthens Forensic Accounting and Financial Investigations Expertise and Expands Suite of Services in Canada with Acquisition of ADS Forensics

Read More close Created with Sketch.
Home·Insights·Articles

When we think of Vendor Risk Management (VRM), there’s usually a policy or a procedure, possibly even a process to follow, and for good reason. The consistent approach that effective VRM gives you should lead to lower financial and strategic risks, increased admin efficiencies, reduced costs, and quicker onboarding of suppliers.

A painful lesson that this year has taught businesses is that they are only as resilient as the vendors they rely on. A promise is only as good as the ability to back it up. That promise might be to deliver a product on time, or it might be to protect data.

Such a vendor could be Amazon, wherein a company uses its cloud platforms to store and process data. Or it could be the designer who works on your rebranding project every few years but who has VPN access to your file server so they can store digital assets.

VRM does not just mean a one-off process for choosing a supplier, it is a continual review process. Requirements change, suppliers change their own internal processes, and regulatory frameworks change. Security risks change, too.

Here are some reasons why VRM should be a fundamental part of a business's cybersecurity strategy.

Consistency

Every supplier has a different relationship with each company with whom they work, and each presents a different set of risks. Not every supplier needs to meet ISO27001 standards. By creating a template that includes a risk/impact assessment it can be ensured that anyone in the organization choosing a vendor conforms to a set of standards appropriate to the relationship.

Visibility

Many relationships with third parties are a two-way street; access to services and infrastructure goes both ways using APIs, logins, and even physical access. It is important to know whether a company or organization has a list of all of the third parties with whom they share data. Authorization and access should be reviewed regularly to reduce the possibility and impact of a data breach.

Accountability

Any company’s data could be stolen, held for ransom, or used against the company as part of a business email compromise scam. Just as companies use third parties, those trusted third parties probably do as well. Every requirement placed on a vendor needs to be at least matched by their own third parties.

Compliance

Yes, compliance, because the discussion of risk warrants discussing compliance. Vendors can change where and how they process client companies' data. This can lead to issues if, for example, a company processes data on EU citizens and its CRM decides to process or back up the data in another region. It’s just one more matter to stay abreast of.

Everything's "Gone Weird"

A vendor choice made more than a few months ago might not be suitable today. The simple reason is that data that would normally have been processed by people sitting in their secure, certified office environments might now be accessed by people sitting in their bedrooms relying on their own home network security. Indeed, their own suppliers could have an impact on systems, should appropriate oversight and resiliency not be baked into the remote working environment.

Conclusion

Like every other aspect of cybersecurity, VRM isn’t a tick-box exercise, it’s a continuous process. Done well, it brings peace of mind. Done poorly, or not at all, and a company’s financial and legal responsibilities as well as its reputation may find itself in a much riskier environment than expected.

Ask the right experts how to implement VRM effectively in your business. Taking steps now can prevent issues in the future and potentially help mitigate any existing problems before they worsen.

Acknowledgments

We would like to thank Kevin Gorsline for providing insight and expertise that greatly assisted this research.

Kevin Gorsline is a Managing Director in J.S. Held's Global Investigations Practice who joined following J.S. Held's acquisition of TBG Security. For several years, Kevin served as the Chief Operating Officer and head of the Risk and Compliance practice at TBG Security, where he was responsible for providing the leadership, management, and vision necessary to ensure that the company had the proper operational controls, administrative and reporting procedures, and people systems in place to effectively grow the organization and to ensure financial strength and operating efficiency. His experience and leadership throughout his career have been focused on developing and delivering information security services and solutions, providing outstanding client service, and driving profitable revenue growth. Kevin brings established proficiency as an IT leader with extensive experience in risk and compliance services, applications development, and implementation projects both in the United States and abroad.

Kevin can be reached at [email protected] or +1 843 890 8596.

Find your expert.

This publication is for educational and general information purposes only. It may contain errors and is provided as is. It is not intended as specific advice, legal, or otherwise. Opinions and views are not necessarily those of J.S. Held or its affiliates and it should not be presumed that J.S. Held subscribes to any particular method, interpretation, or analysis merely because it appears in this publication. We disclaim any representation and/or warranty regarding the accuracy, timeliness, quality, or applicability of any of the contents. You should not act, or fail to act, in reliance on this publication and we disclaim all liability in respect to such actions or failure to act. We assume no responsibility for information contained in this publication and disclaim all liability and damages in respect to such information. This publication is not a substitute for competent legal advice. The content herein may be updated or otherwise modified without notice.

You May Also Be Interested In
Perspectives

Strategies to Avoid Cyber Insurance Claim Challenges: Part II

In Part II of addressing cyber claims challenges, we identify gaps in coverage and quick fixes for a smoother claims process....

Perspectives

Benefits of a Virtual Chief Information Security Officer (vCISO) in the Age of AI-Driven Cyberattacks

A Virtual Chief Information Security Officer (vCISO) can be a cost-effective solution to AI cyberattacks....

Perspectives

Cybercrime vs. Cybersecurity: Learning the Tactics of Criminals to Protect Your Interests

To safeguard our digital lives, both the "inside out" security approach and the “outside in” prevention approach are needed....

 
INDUSTRY INSIGHTS
Keep up with the latest research and announcements from our team.
Our Experts