Sheri Garver
Optimizing operational performance is a key ingredient for organizations to produce quality products and/or deliver excellent service and generate profits.
However, sourcing the key ingredient is becoming more difficult as organizations decrease overhead expenses, manage supply chain disruptions, and develop workaround processes to mitigate technology challenges.
In today’s business climate, optimizing performance, complying with regulatory requirements, and remaining competitive is impossible without support from third-party providers.
Introducing vendors into an organization can greatly impact success while also introducing risk.
What’s Your Appetite for Risk?
Implementing third-party providers to perform essential and non-essential tasks requires organizations to determine the amount of risk they are willing to accept to achieve their objectives.
Moreover, organizations must decide if vendors fit their risk appetite and which ones will require additional controls to reduce the risk to a tolerable level.
CISOs, CIOs, vendor management, and department leaders requiring third-party support, such as facility managers, should play a significant role in risk management teams and developing additional controls.
If the risk management team doesn’t assess the risk, they won’t understand the threat it has to the organization.
On the Rise: Supply Chain Attacks
A supply chain attack, also known as a third-party or value-chain attack, happens when someone breaches your systems through an outside partner or provider with privileges and access to your systems and data.
Attacks of this nature have increased by 2,600 percent since 2018, according to a recent Identity Theft Resource Center report.
When organizations hire third parties, they effectively give vendors the keys to their facility and hand them their debit card.
Evaluating Vendor Risk
Many legally binding vendor contracts obligate the third party to adhere to security and privacy practices, requiring a signature to attest to their commitment to security.
59 percent of organizations rely on contractual agreements as part of their due diligence, according to a 2022 study by the Ponemon Institute.
Yet only 34 percent of study participants were confident that their third party would notify them if they had a data breach involving their sensitive and confidential information.
Vendor ‘Paraphernalia’
Vendors can’t provide services without installing software, devices, and people into an organization. There lies the risk.
Organizations tend to focus on the services the vendor is responsible for and overlook the items that are physically being placed inside their facilities or installed into their network. Security cameras, software, and employees often go unmanaged and undetected.
Notable Third-Party Breaches
New York Health Center Agrees to Invest $1.2M in Cybersecurity, Pay $450K in Fines
Refuah, a New York-based health center, partnered with a physical security company to monitor the company’s facilities they installed video cameras and deployed software. Cyber criminals gained access to the monitoring system that was protected by a static four-digit code. The administrative credentials were associated with a Refuah account used by a former IT vendor and had not been changed for at least 11 years.
In May 2021, they notified officials of a ransomware attack that compromised the protected health information of 260,740 people.
On January 5, 2024, the New York Attorney General’s office announced that they had reached an agreement requiring Refuah to invest $1.2 million to strengthen its cybersecurity and pay $450,000 in penalties and costs.
Bank of America Falls Victim to Two Vendor Breaches in One Year
In 2023, Bank of America fell victim to cyber-attacks from two separate vendors.
The first incident occurred in February 2023 when an unauthorized user gained access their accounts receivable management company NCB Management Services. The cybercriminals captured and exposed nearly 500,000 Bank of America customers’ credit card information.
The second attack occurred in November 2023 when Infosys McCamish Systems, the vendor they used to manage deferred compensation plans, was compromised. The ransomware attack impacted as many as 57,028 individuals.
HVAC Provider Costs Target $202M
There are numerous articles explaining how hackers gained access to Target’s network through their HVAC third-party provider that cost their organization a reported $202 million dollars.
Like all third-party incidents, someone within the organization was responsible for selecting and implementing the vendor.
The Target incident created a lot of chatter amongst facility managers because they utilize building automation systems (BAS) to set alarms in facilities, turn on and off HVAC controls, and access surveillance cameras.
The incident highlighted why facility managers and IT personnel need to establish effective communication to establish controls with facility vendors to protect their network, customers, and organization.
Do You Have a Vendor Management Program?
A vendor management program is the process of continuously evaluating and monitoring third-party service providers. It aims to ensure vendors comply with organizational policies to protect systems and devices that create, receive, maintain, and transmit sensitive data.
55% of organizations rely on the business reputation of a vendor rather than perform a preliminary evaluation.
The vendor management process should include evaluations of cyber security policies, procedures, and security assessments to ensure they comply with the organization’s requirements.
Conclusion
Organizations can no longer point fingers at vendors when customers and employees are exposed to safety and privacy violations.
Regulatory and accreditation bodies increasingly hold organizations responsible for knowing their vendors and subcontractors, ensuring they are making reasonable efforts to protect consumers.
Are You Prepared?
PacketWatch has extensive experience helping companies create, manage, and maintain vendor management programs. We take the time to familiarize ourselves with your organization’s unique operations and structure, providing highly customized policies and procedures mapped to leading frameworks and industry requirements.
Contact us today to inquire about our vendor management services.
Sheri Garver has nearly two decades of professional accreditation and compliance background. She is the Senior Advisor of Regulatory Compliance for PacketWatch, a premier cybersecurity firm in Scottsdale, Arizona.