In one day, an attack on a New Hampshire business that you’ve probably never heard of managed to take out the web presences of Netflix, The Wall Street Journal, PayPal, Verizon, Comcast, and a slew of other major companies. The attackers focused their efforts on Dyn, a provider of domain name services which managed the accounts of hundreds of major brands. By attacking one vendor, the hackers affected millions. Regardless of what industry you’re in, it’s an inescapable issue. Even if you have the best security procedures in the world, you still run the risk of losing necessary services through third party failure.
There are, however, a few basic security protocols you can follow when preparing for a situation like this. The process is called Vendor Risk Management (VRM) and it’s becoming imperative, especially in an age where so many of our services are provided by vendors. Most likely, everything from your computer’s operating system to your workflows, web presences, and accounting software are all developed and managed by third party vendors. Appropriate VRM means you need to proactively identify third party risks and reactively have a trustworthy, in-house lead in place for when the worst happens.
Creating a Proactive Vendor Risk Management Plan
You have a lot of risk in your business, but one of the most often overlooked is the risk in your vendor relationships. In many cases of cybersecurity breaches and leaks, the problem can be traced back to a third party vendor who failed to follow protocols. You can proactively mitigate risks by implementing the following five standard VRM procedures:
- Thoroughly outline the relationship between the business and the vendor – This means that you know what the vendor will be doing, and what the final goal of that activity is.
- Consistently monitor vendor performance – Regularly auditing your vendors’ processes and procedures through in-house personnel can help you locate problems before they start.
- Develop guidelines for data use – Know what data your vendor will have access to and for what purpose.
- Create regulatory compliance benchmarks for vendor activities – If a vendor is handling a segment of your business that involves regulatory compliance, they should have a clear schedule in place which you have an up-to-date copy of.
- Develop a set mitigation plan for when the worst happens – Even if a plan seems foolproof, the worst-case scenario must be considered and planned for, to include naming key personnel to work with vendors for system recovery.
Probably the biggest and most important part of preventing problems from third party vendors is having a risk mitigation plan in place. This’s because bad things may inevitably happen to vendors. In Dyn’s case, the company didn’t do anything wrong. Instead, it was a victim of a brand-new attack it could have never predicted. Despite that, good mitigation plans ensured that most outages caused by these attacks only lasted a few hours. That was accomplished by the companies working with Dyn and using their own policies and procedures to get back online. The key to setting that up was picking a vendor liaison to lead their risk mitigation teams.
Developing a Risk Mitigation Team
It’s tempting to just put your CEOs on the risk mitigation team because they’re already key personnel. But during a major cyber-attack or computer issue, it’s not the CEO who will restore service. Instead, it’s the IT person, in conjunction with the IT people at the third-party vendor. For every vendor you have, you should have a vendor liaison. That vendor liaison is going to need the following:
- A deep understanding of the product the vendor is providing – If your vendor is providing cloud storage, then your vendor liaison needs to be an expert in cloud storage.
- A familiarity with the day-to-day workings of the program – Understanding the concept of a program is a bit easier than understanding what it does. Consider the cloud storage scenario. Most people understand the concept of cloud storage. Few people understand the processes that start when you click “save” and end when you shut down.
- A thorough understanding of a wide range of emergency procedures – Your liaison should know how to continue business in the event of system-wide outages, cyber security attacks, and even natural disasters. They should know where backup data is located and how to deploy it.
- Blank check access to your system – This is the one that makes most business owners flinch. Your vendor liaison is going to need almost autonomous authority to fix problems in your system. That might mean working with other programs or ending other processes to mitigate damages. This person must be completely trustworthy for managing such a vast amount of information, which leads to the final criteria for picking a vendor liaison.
- Ability to pass a Remote Risk Assessment (RRA) screening – With as much power as this individual will have, you’re going to need to make sure you can trust them with it. Lists of customer data and company product information goes for millions on the black market, so you need someone who will be able to resist that temptation. Generally, a screening that includes RRA technology works best, as it allows you to easily locate high risk candidates for the position and eliminate them from consideration.
Your vendor liaison is going to need a lot of access to your system, which is why we recommend deep vetting using RRA, a proprietary technology that uses voice analytics technology during a short automated phone interview to assess risk. This type of technology can be implemented remotely, quickly, and for virtually any purpose. For more information on using RRA as part of your Vendor Risk Management process, contact AC Global today.