Vendor Management: Top 7 Reasons Why Companies Aren’t Secure

Vendor management is a crucial component in safeguarding company cybersecurity. As businesses increasingly rely on various external services and products, ensuring these external partners uphold strong security standards becomes imperative. I’ve found that the rapid progression of technology in the cyberspace, companies must completely understand each vendor with access to transmit or store end-user data. They must have in-depth knowledge of the vendor’s security profile and monitor it diligently to mitigate potential risks. From my experience, here are some of the top reasons why many companies aren’t secure in this respect.

1. Increasing Vendor Numbers

Companies are increasingly engaging with larger numbers of vendors due to globalization, the need for specialized expertise, and the drive for cost efficiency. Statistics show that organizations’ average number of third-party SaaS vendors increased by 62% between 2020 and 2022. This trend is fueled by the desire to focus on core competencies, leverage technological advancements, and enhance competitive positioning in the market.

2. Higher Supply Chain Risks

The growing number of vendors is one reason for the higher percentage of supply chain attacks. These occur because key suppliers or vendors may be more vulnerable to attack than the primary target, making them weak links in the overall network. In 2020, Accenture reported that 40% of cyberattacks originated from the extended supply chain.

For instance, in 2017, NotPetya malware spread via a Ukrainian accounting software company called M.E.Doc. The malware spread to other companies that used M.E.Doc’s software, including Maersk, a global shipping company. The attack caused Maersk to shut down its IT systems for several days, resulting in a loss of $300 million.

3. Lack Of Continuous Monitoring in Vendor Management

The absence of continuous vendor monitoring in vendor management can lead to missed vulnerabilities and escalating risks. Continuous monitoring is crucial for detecting changes in vendors’ security postures and guaranteeing adherence to security standards. Without it, companies may find themselves blindsided by security breaches originating from their vendors. Remarkably, research from the Ponemon Institute shows that 50% of organizations don’t monitor third parties accessing their sensitive and confidential information.

4. Cost-Cutting Measures

The pressure to constantly cut costs is another threat to vendor cybersecurity programs. Research shows over two-thirds of organizations spend less than 10% of their IT budgets on security. Such cost-cutting measures can lead to inadequate security practices, such as failure to renew certifications or maintain compliance annually, leaving companies vulnerable to data breaches and cyberattacks. While reducing expenses is a common business goal, it should not come at the expense of robust security measures.

5. Risk Of Non-Compliance in Vendor Management

Non-compliance with cybersecurity standards also presents considerable risks. A checkbox approach, where companies merely meet the minimum requirements for compliance, is insufficient protection against cyber threats. One study found that 59% of organizations experienced a data breach caused by a third party. This statistic emphasizes the importance of ensuring all vendors comply with security policies, as their non-compliance can lead to severe and costly security incidents, damaging both the company’s data integrity and its reputation.

6. Reactive Security Approaches

Reactive third-party security approaches leave companies vulnerable because they focus on responding to breaches after they occur, allowing damage to unfold unchecked. A lack of continuous monitoring and proactive vendor risk assessments can result in unnoticed security gaps, increasing the risk of data breaches.

For example, intrusion detection is only good after the fact; it doesn’t protect a company from risk. With 4,145 data breaches at an average cost of $9.44 million each, the financial impact of the 59% caused by third-party vendors in 2022 was $22.9 billion. Companies struggle to keep pace with evolving cyber threats, which can lead to non-compliance with regulatory frameworks and compromise their security posture further.

7. Inadequate Security Training

A common shortfall I’ve seen in vendor management is the lack of comprehensive security training for employees. Humans are every company’s biggest risk factor, and training significantly impacts employees’ awareness and behavior regarding information security. For example, research into permissions provided to third-party vendors in cloud environments showed that 82% of enterprise organizations provided vendors with highly privileged roles. Seventy-six percent gave vendors roles allowing full account takeover, and over 90% of cloud security teams were unaware they had given such high permissions to vendors.

How To Prioritize Security in Vendor Management

A comprehensive vendor security analysis includes sending suppliers questionnaires to vet their security profiles and continuously monitor their postures. As it stands, 98% of organizations globally have relationships with at least one breached third party, and those that haven’t been breached yet aren’t immune to it happening to them.

Vigilant vendor management is vital to maintain a secure business environment. The primary risk lies in how people understand and handle their data. This understanding extends to vendor management, where the real challenge is ensuring that every vendor involved in the company’s operations maintains a high security standard.

I find it critical that companies have a proactive approach that focuses on intrusion prevention and comprehensive employee training. Understanding vendors’ capabilities and continuously monitoring their security postures is vital for fostering a security culture that permeates every aspect of the business, ultimately safeguarding the company’s future.

You can read the original article posted in Forbes by Rhymetec CEO, Justin Rende.

About Rhymetec

Our experts have been disrupting the cybersecurity, compliance and data privacy space since 2015. We make security simple and accessible so you can put more time and energy into other critical areas of your business—Some of our customers have gone on to be acquired by Meta and Zoom. Our customers trust us to help them reap the benefits of having a stronger security program.

What makes us unique is that we act as an extension to your team. We consult on developing stronger information security programs within your environment, and provide the services to meet these standards. Most organizations offer one or the other. From compliance readiness (SOC 2, ISO/IEC 27001, HIPAA, GDPR and more) to Penetration Testing (Web Application Pentest, API Pentest, External Network Pentest and Mobile Application Pentest) and ISO Internal Audits, we offer a wide range of consulting, security, vendor management, and managed compliance services that can be tailored to your business environment.

If you’re ready to learn about how Rhymetec can help you, contact us today to meet with our team.

Interested in reading more? Check out our other blogs: