By James Carpp, CISA, CRISC, CIRM, CISM
In 2014, retailer Target suffered hundreds of millions of dollars of damage because of a cyberattack. For almost three weeks during the busiest shopping time of the year, approximately 40 million credit and debit card numbers were covertly collected by hacker-installed malware as shoppers spent at Target.
It all happened because an attack on one of Target’s heating and cooling contractors yielded Target network credentials. Target did not segment the contractor’s network access, so the hackers had the keys to the kingdom. This missing control allowed the malware to be installed, and the rest is history.
According to security firm Wiz, 82% of companies that give access to vendors give access to all their data. Additionally, 90% of those respondents have no idea what level of access they granted. Clearly, many companies are unaware of the risk they’re assuming with vendors.
What’s the moral of the story? Organizations must mitigate risk by continuously managing vendor relationships.
A 2010 study by ESI International found 94% of businesses have an outsourced relationship, which was defined as hiring a third party to do something that could be done internally. Vendor management focuses on controlling the risk associated with hiring a third party as much as possible, so your organization is protected. A robust program includes:
While vendor management can be complex, it’s critical. As Target and others have shown, if you’re outsourcing any aspect of your business, managing vendors is managing your risk.
For small- and medium-sized businesses, the vendor management process needs to be straightforward and simple to maintain. Otherwise, it may not be viable. To accomplish that, consider the following framework:
Setup – Document the reason for the program and the structure. Also be sure to define the roles and responsibilities required.
Vendor inventory – Capture all existing vendors, document pertinent information, and keep the inventory current.
Vendor selection – Develop a standard to evaluate vendors before engaging their services.
Annual evaluation – Over time the nature of the relationship might change, and it is important to review vendor performance regularly. At a minimum, this should occur annually.
Contract criteria – Not all contracts are similar. Develop a standard to evaluate contracts prior to entering them, as well as yearly. This helps ensure the organization is protected.
Security review – While often overlooked, security reviews are critical because vendors clearly can be a major source of risk. Establish a review standard and continually evaluate it because threats evolve constantly.
Vendor management is all-encompassing. That’s why the largest organizations in the world have entire teams dedicated to it.
At small- and medium-sized businesses, however, there could be no people working on vendor management and risk mitigation. If there are, they may be overwhelmed by the comprehensive, ongoing nature of the undertaking.
This is where Rehmann can help. In about a day, we can work with your organization and deliver a turnkey vendor management program, complete with the knowledge and tools to start mitigating risk immediately.
To get started, email us, call (866) 799-9580, or contact us online.
At Rehmann, we strive to be The Firm of Choice not only for our clients, but for our associates as well. As our company grows – our team numbers 800 and counting – we continue to focus on training and development, to provide our clients the best solutions from the most knowledgeable team.
Here’s what Rehmann delivers: an outstanding environment full of professional challenge and reward; a culture based on putting people first and celebrating an entrepreneurial spirit; and opportunities to enrich the lives of those we serve. Passion, collaboration, and trust drive everything we do. If this sounds like you, we hope you connect with us for your next opportunity.
Kind Regards,
Randy Rupp, CPA
CEO