Key Considerations for Implementing a Vendor Risk Management Strategy

If you’re running a business of any size, it almost goes without saying that you’re relying on third-party vendors in one way or another. Whether you call them contingent employees, contractors, freelancers or anything else, you’ve probably given them at least partial access to whatever’s under the hood of your business.

Data breach findings

According to a 2018 report from the Ponemon Institute and Opus, 59% of the executives surveyed experienced a data breach because of third-party vendors — a steady increase from 56% in 2017 and 49% in 2016.

And as for the companies’ efforts in preventing future breaches, the report offered some other depressing findings:

And from there, the news gets even worse. The Ponemon Institute also asked executives about their “Nth parties” — that is, the vendors used by the third parties, vendors who are even further removed from the organization’s sphere of influence. When it comes to these fourth parties, only 12% of the executives surveyed expressed the belief that they would hear about a breach from any of these far-flung vendors.

Implementing a Winning Strategy

Implementing a well thought out Vendor Risk Management (VRM) strategy encompasses many checks and balances. Proper vendor classification, onboarding, and offboarding policies, identity and access management setup, regulatory compliance and asset management are all key pillars. Many of these are obvious, but the real challenge is implementing a winning strategy with best practices that move at the speed and agility of the business.

The Ponemon report does offer some advice on best practices: Create an inventory of all third parties with access to your confidential data; review their policies and practices for data security, including how they address emerging threats such as new apps or employee-supplied devices; and include contract clauses requiring them to notify you if they share your confidential information with their own third parties.

These are good recommendations, to be sure. But at the risk of sounding unkind, they are the same recommendations that have been made by Ponemon and other organizations many, many times over the years.

The hard truth is that the modern digital enterprise is too busy innovating to focus on its countless points of vulnerability. And no matter how compliant your people are, they can still be the victims of theft, and they can still unthinkingly expose your data over the public wi-fi in a coffee shop.

A single source of truth

Tehama acts as a single source of truth for the management of vendors, subcontractors, third parties and anyone else contributing to your organization’s digital transformation practice.

Our SaaS VRM platform eliminates the risk associated with securing the network perimeter by leveraging MFA and IAM tools already used by your organization. This prevents tainted endpoint devices from accessing your network, databases and other critical business assets.

Control IT spending and reduce your IT footprint by taking away the need to configure and secure VPNs, setup jumpboxes or even, worse, shipping out expensive laptops and hardware.

Secure Tehama Rooms are created instantly and are only accessible by authorized vendors and 3rd parties contributing to their defined projects. The Tehama environment is fully compliant, and can be set up to adhere to the specific standards and regulations of your business.

Additionally, all actions that take place in the Secure Tehama Rooms are recorded. This provides you and your vendors with full visibility, in-depth forensic auditing and valuable information for future reference. Download our ebook on Securing the Workplace of the Future to learn more.

See How Your Enterprise Can Securely Enable Hybrid Teams

Get a Demo