Why Your Business Needs a Vendor Management Policy

Why Your Business Needs a Vendor Management Policy
Jake Olcott
Written by Jake Olcott
VP of Communications and Government Affairs, Bitsight

A vendor management policy is a best practice for organizations seeking to tier their vendors based on risk. Such a policy identifies vendors which pose the greatest cybersecurity risk to your organization and then outlines the controls the company will implement to lessen this risk. These controls might include rewriting all contracts to ensure vendors meet a certain level of security, or implementing an annual inspection.

Unfortunately, many organizations overlook the importance of a vendor management policy, instead focusing their attention on their own internal security posture. However, there are several reasons why you should consider implementing a vendor lifecycle management policy today.

1. You could get sued

There are a growing number of legal requirements in a variety of sectors — from finance, to retail, to healthcare, to energy — on how companies should manage their third-, fourth-, and nth-party risk.

Regulators have recognized that data breaches (See SolarWinds breach) through third and fourth parties can present a significant and sometimes catastrophic consequence to an organization — and have created various legal requirements in an effort to ensure organizations manage their supply chain and partner cyber risks more carefully.

Without a vendor management policy, if you’re in a regulated industry you could be out of compliance (and in a lot of trouble).

2. You’re a target

An organization should be concerned about third and fourth parties that have either access to their most sensitive data or direct access into their corporate network.

If your vendor management policy includes working with an extended business ecosystem of vendors, sub-contractors, and partners, you’re naturally creating more targets that hackers and criminals can exploit. This is becoming more common, because organizations are outsourcing to vendors more frequently in an effort to either save costs or capitalize on vendor expertise.

The more vendors you have, the larger risk landscape you create. This is a well-known risk — but too many companies don’t give it enough thought.

3. You have vulnerabilities you don’t even know about

Not all vendor risks are easily understandable. Many organizations today have entered into business relationships with third parties without fully understanding the risk to their data. And what’s more, the first party may not have set requirements in their vendor management policies for how their vendors should secure their data.

A lot of organizations struggle with even knowing who has access to their sensitive data, how much access they have, where it resides, and more. These “unknowns” give plenty of folks a valid reason for concern.

4. You might face some severe consequences

To see how very real the consequences of not managing vendor policy are, simply read some of the latest cybersecurity headlines. Today, 59% of data breaches originate with third-party vendors.

In the healthcare sector, for example, these breaches are rising exponentially. Malicious cyber activity has added to the dangers of the COVID-19 pandemic. Attacks on vaccine research, as well as the vulnerable remote workforces many companies are relying on are just a few of the new challenges that can result in damaging impacts to organizations in the healthcare industry.

The truth is, if you don’t have a vendor management policy in place today, your company is being negligent. Not having a policy in place means that there’s a good chance your organization’s sensitive data may be handled by someone who shouldn’t have access to it. This puts the health of your entire company on the line.

How to create a vendor management policy

If the above reasons have convinced you to implement a vendor management policy immediately, do you know where to start?

You might be feeling a little overwhelmed — but we are here to help. Below, we’ve outlined four tips that will get you started with your vendor management policy right away.

1. Build a team

It’s critical to have people from many different positions and perspectives on your vendor management policy team. Aside from upper management, you want to have someone from acquisitions and procurement, a lawyer, an IT security person, and someone representing the business unit, so you can understand the data. This team will be charged with taking on the next step, which is to gather a list of vendors and determine which of them are critical.

2. Gather a list of your vendors

Keep in mind that the definition of a vendor isn’t as narrow as you might think. This all-encompassing list should include every third-party, contractor, or associate your organization does business with or works in partnership with. Having a vague idea of which companies might make the list isn’t enough — you need to know exactly who these vendors are.

Once the list is compiled, you’ll begin the critical assessment portion of your vendor management policy. You’ll need to determine which vendors:

  • Have access to your sensitive and important data
  • Have direct access to your corporate network

Once you’ve sorted out these vendors, they should be categorized as “critical.” These are the vendors you’ll want to spend the most time learning about and monitoring — because if one of these vendors is compromised in any way, and the malicious actor finds a backdoor into your organization, the destruction to your data or network could be catastrophic.

(Here are some security risk assessment questions to get you started if needed)

3. Keep vendor management in mind during the diligence process

At this point, you have already identified vendors you’re working with and whether or not they’re categorized as critical. But what about new vendors?

A robust vendor management policy takes into account the vendors you’re looking to onboard, and it helps you determine whether or not you should do business with them. This is based on many things, but it should definitely take into consideration their cybersecurity standings.

At Bitsight, we offer time-limited access to our security ratings to help you determine whether a vendor relationship is worth pursuing.

4. Don’t forget to continuously monitor

Vendor management policies don't end after the diligence process. Traditional vendor risk assessment methods are subjective, unverifiable, and unactionable. Offering a glance at their cybersecurity one day of the year isn’t enough. You need a way to continue to monitor and verify if a third party’s security posture is consistently strong, and you need to be alerted to new risks and vulnerabilities in their network.

Protect your business

Building a vendor management policy will give you confidence that you and your vendors are meeting the commonly expected standards of care.

Continuously monitoring and working with your vendors to ensure they’re meeting your cybersecurity expectations will reduce the likelihood that you will become the victim of a cyber attack through your supply chain.

By putting a vendor management policy into place immediately, you’ll know that your vendors take cybersecurity as seriously as you do.

40 questions vendor risk ebook

With this ebook, we'll help you prioritize which vendors need the most attention with an in-depth security assessment – such as those with low security ratings, or critical vendors that maintain constant contact with your company’s systems.