Don’t let the vendor fool you. Be diligent and perform reviews, even when you feel it may be unnecessary.
“Fool-proof systems do not take into account the ingenuity of fools.” – Oscar Wilde
Common Vendor Risk Management Mistakes
- The vendor is a large company; therefore, they’ve implemented risk practices that keep them safe.
Correction: Just because a company is large, it doesn’t necessarily mean that they’re safe. In fact, the bigger the company, the more chance that it’s difficult to maintain “safe”.
- The vendor doesn’t receive my NPPI, so they’re low risk.
Correction: Any time a vendor is handling customer data, even if it’s not transmitted, there’s risk. (e.g., a credit reporting agency)
- The vendor is privately held so I can’t access their financials online. Oh well, right?
Correction: Even if a vendor is privately held, still reach out to your contact and request documents like an accountant’s letter, a credit report on the owner or a copy of the vendor’s statements.
- The vendor doesn’t have access to my data in electronic format, so the risk is low.
Correction: Take into consideration the shred company. Just because they don’t have access to your data in electronic format doesn’t mean that they can’t still access your data – they have direct access to hard copies!
- The vendor’s data security is likely above average because they're well-known.
Correction: Remember the big Target breach a few years back? That’s proof right there that big names get hacked too.
- The vendor was hacked but they assured me that everything is fine now, so there’s no need for my organization to worry anymore.
Correction: If a vendor is hacked, make them show the steps they’ve taken to address the problem and begin to monitor for follow-up activity.
- The vendor is extremely innovative, so I’m sure they’ve spent a ton to make sure their technology is completely safe.
Correction: Review and understand the vendor’s information security procedures to verify sufficiency.
- The vendor won’t provide some of the documents I’ve been requesting but there’s nothing I can really do about that.
Correction: Look for alternatives to reviewing due diligence when it’s difficult to obtain. For example, maybe they can allow you to view the documents but not retain.
- The vendor’s due diligence, policy and program documentation proves that they’re safe and financially sound, so there fourth party probably is too.
Correction: If the fourth party is critical to your vendor, you need to perform your own analyses on them.
- I personally don’t need to be trained on how to spot malicious emails or phishing attacks because I would never fall for that so I’m sure the vendor wouldn’t either.
Correction: It’s easy to let your guard down and accidentally expose yourself to a phishing attack when in a hurry. Take it a step further and ensure your vendor’s security training is adequate to prevent this risk from happening to you.
There are likely many more misconceptions in vendor risk management. Thorough vendor due diligence is critical as it helps prevent your organization from unexpected high risk situations. Remember, it’s pivotal to always analyze the situation a little further, just to be safe.
Have you carried any of these vendor risk myths into 2019? Download this infographic.