Risk assessment for a vendor in startups is crucial for the success of the organization. As the world witnessed in the Solarwind attack, a sophisticated attack that breached a big amount of SolarWinds' customers, it had made clear that this kind of threat should be continuously assessed and managed, due to its large impact.
A supply chain attack occurs when someone infiltrates your system through an outside partner or provider with access to your systems and data. This has dramatically changed the attack surface of the typical enterprise in the past few years, with more suppliers and service providers touching sensitive data than ever before.
Moreover, organizations that are working with dozens or hundreds of IT vendors, not always aware of the risks reflected from them. In a research conducted by a cloud security company, it was found that 82% of companies provide 3rd party vendors highly privileged roles, 76% of companies have 3d party roles that allow for full account takeover and over 90% of cloud security teams were not aware they gave high permissions to 3rd party vendors.
Hence, it is clear that the type of information and/or access you give to your vendors has a direct impact on the level of your own risk for data breach and compromises of sensitive assets.
How to assess how much cyber risk a particular vendor poses to your organization?
Create an organizational policy details the vendor management processes. In general, there are 6 steps in the vendor management lifecycle:
- IT assets request – requests for new IT vendors should be centralized and assess by the CISO
- Procurement – implement risk management within a contractual partnership
- Accounting – set the system owner for clear accountability over the risks reflected from the vendors.
- Deployment – how would this vendor get data from the company's assets
- Monitoring – continually assessment of the risks from the vendors.
- Retirement – decide on the vendor termination process, including requests for data deletion for databases and backups.
In order to succeed, you need to use multiple attitudes and collaboration. create a vendor management policy and construct the process involved throughout your organization. List the vendors and understand the level of risk reflected from each vendor (excel sheet or a task management tool can do the job). This should be a continually process, at least annually. You call also ask your vendor for their annual SOC 2 report, and review if they had deviations and the final auditor's opinion.
Also, you should consider adding the "right to audit" in your agreement, so you can have a close look over the effectiveness of the company's internal controls that matter to you.
There are multiple tools for Third-Party Risk Management ('TPRM') that offer advanced solutions like Panorays.
In conclusion, these are the 5 points you should take with you
- Set up contract provisions (typically, in the service level agreement [SLA]) to address risk-related commitments
- Combine the vendor risk profile with the risk profile of the engagement
- Prepare for dynamic monitoring and risk assessment based on internal/external events
- Implement and use both traditional and innovative monitoring approaches for continuous monitoring of the identified risk factors
- Leverage technology solutions to integrate procurement, performance, and risk management on a unified platform.
