Key Considerations for Implementing a Vendor Risk Management Strategy

Jeremy Cochrane

If you’re running a business of any size, it almost goes without saying that you’re relying on third-party vendors in one way or another. Whether you call them contingent employees, contractors, freelancers or anything else, you’ve probably given them at least partial access to whatever’s under the hood of your business. 

According to a 2018 report from the Ponemon Institute and Opus, 59% of the executives surveyed experienced a data breach because of third-party vendors — a steady increase from 56% in 2017 and 49% in 2016.

And as for the companies’ efforts in preventing future breaches, the report offered some other depressing findings:


Would a vendor alert the company in the event of a data breach?  Only 29% of the executives said yes
Does the company have adequate resources for managing third-party relationships? 63% were less than sure
Can the organization’s vendor safeguards be trusted to prevent a breach? 57% of respondents simply didn’t know
Does the company have a comprehensive inventory of all its third-party suppliers?  Only 34% of respondents said yes

And from there, the news gets even worse. The Ponemon Institute also asked executives about their “Nth parties” — that is, the vendors used by the third parties, vendors who are even further removed from the organization’s sphere of influence. When it comes to these fourth parties, only 12% of the executives surveyed expressed the belief that they would hear about a breach from any of these far-flung vendors.

Implementing a well thought out Vendor Risk Management (VRM) strategy encompasses many checks and balances. Proper vendor classification, onboarding, and offboarding policies, identity and access management setup, regulatory compliance and asset management are all key pillars. Many of these are obvious, but the real challenge is implementing a winning strategy with best practices that move at the speed and agility of the business.

The Ponemon report does offer some advice on best practices: Create an inventory of all third parties with access to your confidential data; review their policies and practices for data security, including how they address emerging threats such as new apps or employee-supplied devices; and include contract clauses requiring them to notify you if they share your confidential information with their own third parties.

These are good recommendations, to be sure. But at the risk of sounding unkind, they are the same recommendations that have been made by Ponemon and other organizations many, many times over the years.

The hard truth is that the modern digital enterprise is too busy innovating to focus on its countless points of vulnerability. And no matter how compliant your people are, they can still be the victims of theft, and they can still unthinkingly expose your data over the public wi-fi in a coffee shop.


secure remote access

Tehama acts as a single source of truth for the management of vendors, subcontractors, third parties and anyone else contributing to your organization's digital transformation practice.

Our SaaS VRM platform eliminates the risk associated with securing the network perimeter by leveraging MFA and IAM tools already used by your organization. This prevents tainted endpoint devices from accessing your network, databases and other critical business assets.

Control IT spending and reduce your IT footprint by taking away the need to configure and secure VPNs, setup jumpboxes or even, worse, shipping out expensive laptops and hardware.

Secure Tehama Rooms are created instantly and are only accessible by authorized vendors and 3rd parties contributing to their defined projects. The Tehama environment is fully compliant, and can be set up to adhere to the specific standards and regulations of your business.

Additionally, all actions that take place in the Secure Tehama Rooms are recorded. This provides you and your vendors with full visibility, in-depth forensic auditing and valuable information for future reference.

For more information about what Tehama can do for your organization, download our white paper.

And if you’d like to experience the power of Tehama for yourself, register for a live demo.

More Posts

Subscribe Here!