Manage vendors, manage risk
Visit our Year-End Planning Hub for more resources
By James Carpp, CISA, CRISC, CIRM, CISM
In 2014, retailer Target suffered hundreds of millions of dollars of damage because of a cyberattack. For almost three weeks during the busiest shopping time of the year, approximately 40 million credit and debit card numbers were covertly collected by hacker-installed malware as shoppers spent at Target.
It all happened because an attack on one of Target’s heating and cooling contractors yielded Target network credentials. Target did not segment the contractor’s network access, so the hackers had the keys to the kingdom. This missing control allowed the malware to be installed, and the rest is history.
According to security firm Wiz, 82% of companies that give access to vendors give access to all their data. Additionally, 90% of those respondents have no idea what level of access they granted. Clearly, many companies are unaware of the risk they’re assuming with vendors.
What’s the moral of the story? Organizations must mitigate risk by continuously managing vendor relationships.
What is vendor management?
A 2010 study by ESI International found 94% of businesses have an outsourced relationship, which was defined as hiring a third party to do something that could be done internally. Vendor management focuses on controlling the risk associated with hiring a third party as much as possible, so your organization is protected. A robust program includes:
- Mission and charter
- Scope
- Defined roles and responsibilities
- Maintained vendor inventory
- Selection process
- Annual evaluation
- Contract criteria
- Security review
While vendor management can be complex, it’s critical. As Target and others have shown, if you’re outsourcing any aspect of your business, managing vendors is managing your risk.
Setting up and sustaining your program
For small- and medium-sized businesses, the vendor management process needs to be straightforward and simple to maintain. Otherwise, it may not be viable. To accomplish that, consider the following framework:
Setup – Document the reason for the program and the structure. Also be sure to define the roles and responsibilities required.
Vendor inventory – Capture all existing vendors, document pertinent information, and keep the inventory current.
Vendor selection – Develop a standard to evaluate vendors before engaging their services.
Annual evaluation – Over time the nature of the relationship might change, and it is important to review vendor performance regularly. At a minimum, this should occur annually.
Contract criteria – Not all contracts are similar. Develop a standard to evaluate contracts prior to entering them, as well as yearly. This helps ensure the organization is protected.
Security review – While often overlooked, security reviews are critical because vendors clearly can be a major source of risk. Establish a review standard and continually evaluate it because threats evolve constantly.
Getting started
Vendor management is all-encompassing. That’s why the largest organizations in the world have entire teams dedicated to it.
At small- and medium-sized businesses, however, there could be no people working on vendor management and risk mitigation. If there are, they may be overwhelmed by the comprehensive, ongoing nature of the undertaking.
This is where Rehmann can help. In about a day, we can work with your organization and deliver a turnkey vendor management program, complete with the knowledge and tools to start mitigating risk immediately.
To get started, email us, call (866) 799-9580, or contact us online.
