Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

About

Venminder is an industry recognized leader of third-party risk management solutions. 

Our Customers

900 organizations use Venminder today to proactively manage and mitigate vendor risks.

Get Engaged

We provide lots of ways for you to stay up-to-date on the latest best practices and trends.

Gartner 2020
Venminder received high scores in the Gartner Critical Capabilities for IT Vendor Risk Management Tools 2021 Report

READ REPORT

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resource-whitepaper-state-of-third-party-risk-management-2022
State of Third-Party Risk Management 2022

Venminder's sixth annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

SolarWinds Data Hack Is a Reminder Why Third-Party Risk Management Is Important

3 min read
Featured Image

As third-party risk professionals, we’re all too familiar with data breaches and bad actors. And, when a really nasty one occurs, especially one that could potentially threaten national security, we feel the effects alongside the rest and are strongly reminded why third party-risk management is so important.

The SolarWinds data hack has left many scrambling to pick up the pieces, while many set out to figure out how this happened in the first place. For those who still have questions, we’ll outline some background, go over what’s been uncovered so far and offer some solutions should you find your organization may be affected.

What Happened?

Texas-based enterprise monitoring software provider, SolarWinds, which serves as a vendor for more than 300,000 customers (both public and private, including every branch of the U.S. military and four-fifths of the Fortune 500 companies), has recently found itself at the center of an international hacking crusade affecting some of our country’s largest vendors. To get a bit more specific, SolarWinds provides many information technology tools which support network monitoring.

Just a few weeks ago, FireEye — a leading cybersecurity company — reported that it had been hacked, and in the process, also identified that SolarWinds’ IT monitoring and management software, Orion, had been compromised by the same crusade. The attack allowed hacker compromised software to be installed on the systems running certain tools offered by SolarWinds (Orion) and while SolarWinds has provided updated versions of the software, unfortunately, the damage has already been done. Any system which came in contact with the compromised software may be infected or ravaged of sensitive information.

The domino effect of this attack is among the worst we’ve seen, and almost daily, an increasing number of affected parties are coming out of the woodwork — many of which are resellers of affected software themselves. For example, Microsoft is one of the affected parties. Many Microsoft software licenses are sold through third parties, and those organizations can have near constant access to clients' systems as the customers add products or employees, making it even more critical to monitor the risk and access associated with third parties. Likely, the trickle-down effect of this hack has only just begun.

While the aftermath of the breach is still unfolding, here are a few of the most recent updates:

  • The New York Times reported that the SolarWinds supply chain attack is believed to have impacted as many as 250 government agencies and businesses.
  • Microsoft admitted that the attackers gained access to some of its source code via third-party resellers of its licenses, but the company insists they couldn’t have made any modifications to the code.
  • A class-action lawsuit has been filed against some of the top SolarWinds executives, citing poor data security practices and possible collusion.
  • A federal task force — which includes the FBI, CISA, ODNI and NSA — has been created to help further investigate and mitigate damage.

What Should SolarWinds Clientele Do?

First, if any organization uses SolarWinds themselves, it’s critical to verify whether they’re using an affected version. Additional detection methods have been noted in an article from the UK National Cyber Security Centre, which can be found here.

Many clients will also want to check with their vendors, especially those with personal identifiable information (PII)/sensitive data access, as to whether those vendors were using the compromised version of the SolarWinds tools.

5 Questions to Ask Your Vendors

Some of these questions should include the following:

If the answer to the first question is “No,” there’s no need to continue further.

  1. Are you currently running, or have previously run, a known affected version of a SolarWinds product?
  2. Have you updated the affected products to the now current, unaffected version?
  3. What actions are you taking to mitigate the risk of the systems being compromised?
  4. Are you aware of any suspicious activities or compromise of data related to this SolarWinds incident?
  5. Are you aware if any third parties you share our data with use, or used, affected SolarWinds products? If so, what data is shared with them and what mitigating activities are they taking related to this SolarWinds incident?

The SolarWinds hack is a strong reminder why third-party risk management is so important. Not only was SolarWinds breached, but so were many of their own clients and vendors as a result. It’s critical that you know what third-party risk management and cybersecurity measures your vendors have in place to help prevent a breach and protect your data at all times. You never know where a bad actor may be lurking.

Have you been affected by the SolarWinds breach or a cybersecurity issue with a different vendor? Find out what next steps to take. Download the infographic.

New call-to-action

 

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo