Vendor Risk Management Common Misconceptions

If yesterday’s post (on Asus) and many of my posts in the past are any indication,  supply chain risk is a huge problem and not very well handled at many companies.  Part of the reason why is all of the misconceptions we have.  Here are a few and why they are misconceptions:

The vendor is a large company; surely they have a great security program.

Equifax was a vendor to thousands of companies.  No problem here.

Marriott was a vendor to millions of customers.  Any problems?

The DoD Office of Personnel Management had 25 million customers.

You get the idea.

We haven’t given the vendor any Non-public Personal Information (NPI) so there is not much risk.

More states are shifting the standard of care to personally identifiable information (PII).  That is a much bigger footprint.  If the vendor has your customer’s PII and the vendor has a breach, guess who is on the hook legally?  Answer: you.  Because you picked the vendor.

The vendor is privately held, so we can’t get any information on them.

Even if the vendor is privately held you can ask for information.    You can ask for an accountant’s statement.  You can ask about their cybersecurity program.  You can ask for a lot of information.  Do so.

We don’t give our vendor data in electronic format, so there is not much risk.

While paper is lower risk, it is not no risk.  Your shredding service only gets paper.  Likewise your document storage vendor.  Consider each situation carefully.

The vendor’s security is probably good because they are well known.

Target is well known.

Home Depot is well known.

Marriott is well known.

And hundreds of others.  Any questions?

Our vendor was hacked, but they say that they fixed the problem.

Maybe, but maybe not.  It depends.  Did they put a band-aid on the problem or did they fix the systemic issues underlying it.  Ask questions.  This will likely take a bit of digging, but do it anyway.

This vendor has a breakthrough product; surely their security is good too.

Again maybe, but maybe not.  Sometimes breakthrough features are deemed to be more important than security and privacy.  Don’t assume.

The vendor won’t give us what we ask for so we are out of luck.

Maybe.  How important is what you are asking for?  Should you consider a different vendor?  Will they let you look at it but not keep it  (maybe in person or maybe over a web conference)?  Is there alternative information that would work?  They do likely want your business, so engage them to help you figure it out.

The vendors security program looks strong, so their third parties (our fourth parties) are strong too, right?

Maybe, but that is a bit of a stretch.  Review their vendor cyber risk management program first before you make that assumption, especially if the fourth party has your sensitive data.

I would never fall for a phishing attack so I am sure that our vendor wouldn’t either.  We don’t need no stinkin’ training and neither do they.

That is so wrong on so many levels.  We have many stories of businesses that didn’t need training that fell for phishing scams, lost sensitive data or even lost hundreds of thousands of dollars.  While training doesn’t fix everything, it is important.  Don’t skip the training and training is not a one time event.

These are just a few of the misconceptions, there are many more.

If your vendor has a breach, you are on the hook.  Maybe they are too, but you are first and foremost.  Your customers look to you to protect their data.

If you need help with your vendor cyber risk management program, contact us.

Leave a Reply

Your email address will not be published.