I talk about the importance of vendor cyber risk management programs all the time. Vendors have been at the root of many very major breaches such as Target and Home Depot and more recently Capital One. Here are some thoughts around vendor cyber risk management.
- The vendor is big and publicly traded so surely they are secure. The source of the Capital One breach was Amazon. Enough said
- I don’t share non-public personal information with the vendor, so they are a low risk. First, if a vendor is a trusted partner, the risk is high because, well, they are trusted. If the vendor gets compromised and you receive say, a poisoned email from that vendor, you are more likely to open it and second, more and more laws address any personal information and not just non-public personal information.
- The vendor is not publicly traded. True, if the vendor is not public there may not be much information online, but that doesn’t stop you from asking for information. In Colorado, for example, you are required by law to verify that a vendor can protect personal information before you let them have it.
- I don’t share data with them electronically. Think about a document storage company or a document mailing service. They still represent a risk.
- The vendor is well known so surely they are secure. Is Target well known? Marriott? Equifax? Sorry, size doesn’t protect you.
- The vendor was already hacked, so its all good now. There is a kernel of truth here. Many times companies do improve their security after a breach, but there is no way of knowing without doing your own assessment.
- The vendor is a big tech company – spent bazillions on their software – so surely it is secure. Company’s data stored at Amazon is compromised all the time. It may not be the vendor’s fault – you may not have configured things right – but your data is still compromised.
- The Vendor won’t provide documents that we have asked for. Often vendors can’t provide everything you might like but that doesn’t mean that you shouldn’t get as much as you can. And then you have to make a decision as to whether you should do business with them. If companies lose enough business they will change their ways.
- We have reviewed the vendor’s security and it is good, so we do not need to worry about their vendors. Nope. Not the case. There was a recent breach of about 24 million mortgage documents. What happened? The banks hired a vendor. That vendor outsourced part of the work and that vendor was hacked. Leaving the banks financially responsible.
- I’ve never been hacked so surely my vendors won’t be either. Hope is not a good security strategy. Remember that it took Marriott 4 years to figure out they had been hacked. The longest running undetected hack I know about was a tech company that was compromised for more than ten years. They are no longer in business. Bankrupt and sold off for scrap.
How strong is your program? Dealt with it now or deal with it after a breach. Now is cheaper, I promise.