Managing risk from vendor dependencies in a crisis
When a crisis affects your organization, the security of the technology vendors you depend on might be the last thing on your mind. But just as you must ensure that your own systems and operations carry on reliably during an emergency, so must you ensure that the key vendors you rely on are doing the same.
This is especially true for the vendors that host or manage critical functions like hosting business applications or providing IT services, including data backup and recovery.
Both your clients and your employees entrust you with private, sensitive data, such as financial or confidential information.
When you trust the safety and integrity of that data to a vendor, it is up to you to make sure the vendor you’ve selected has internal processes safeguards to protect your data. Anything else can cause serious financial, reputational and regulatory risks.
Ideally, you would have evaluated your vendors before a crisis, but if you didn’t, it’s not too late.
A key part of business continuity planning is evaluating your vendors’ ability to meet contractual obligations during a crisis. Whether you’ve outsourced software, technology or professional services, you must take responsibility for checking the security, reliability and business resilience of the vendors you depend on. There are a few key things you need to consider when assessing your vendors and making sure they can support your business continuity requirements.
Check in regularly
First, establish a relationship between your operational leadership and your vendor’s leadership to foster personal accountability. Depending on the vendor, this might mean the head of your IT department or your line managers.
In a crisis that affects your vendors, capitalize on those relationships by holding regularly recurring check-ins for as long as the emergency lasts. Doing so can help you recognize and resolve issues as they arise, so that you can provide timely updates to your own customers.
Adjust your planning to account for potential delays, failures and bottlenecks. Depending on your vendors’ assessments of their risks, you might find that building more time into your work plans is enough to insulate your operations from a risk of delays. Or you might need to immediately begin identifying substitute vendors for critical functions that are in danger of failing or make plan to bring these functions in-house.
Plan for resiliency
For outsourced data management or cloud-based application hosting services, determine whether your vendor’s systems are redundant and resilient. Is your data all housed on one server in one data center, or is it dispersed across geographically separated hardware? How far is that separation? How thoroughly, and how often, is the data backed up? And, does you vendor have the capacity to support all of its clients if a disaster was declared?
Data tied to a single data center in San Antonio was knocked offline by a 2018 lightning strike that shut down customers’ operations for more than 36 hours. Such a scenario is easy to avoid. A widespread and evolving crisis can disrupt one facility or even one region, but a properly planned, redundant system is resilient in the face of localized failure. The best time to manage these issues is before an emergency but asking for improvements might be worthwhile even during a crisis, if they can be made without undue risk of disruption.
Keep in mind, hardware isn’t the only type of system that should have redundancy. If your data needs to be monitored and accessed continuously, is the vendor’s staff also resilient? That is, can multiple people step in from multiple locations, if necessary? Or will the failure of a single employee or access point cause disruption?
Raise your standards
If a crisis forces a vendor’s office to close and its personnel to work remotely, does that vendor have the capacity to support all of their clients’ remotely as well as the appropriate safeguards to manage information security risks? Staff working remotely may not have all the cybersecurity safeguards as back at the office and are at elevated risk for exposing data and systems to hackers, so your vendors should be well prepared for such a scenario.
First, vendors should have clear standards for their remotely working employees’ behavior and equipment. This means never connecting to company systems through public Wi-Fi or using obsolete devices, operating systems or software (ideally, they will use only company-issued devices).
Next, your vendor’s remote employees should be equipped with enterprise-grade antivirus software. And they should have robust access and authentication controls, including multi-factor authentication, which confirms the identity of users with greater certainty.
Finally, your vendor should use a remote-access virtual private network (VPN) for employees connecting to company servers and systems. With a VPN, remote users’ client software routes all traffic through a single secure, end-to-end encrypted connection to and from the company’s systems, rather than connecting directly. Without a VPN, the doors are essentially wide open to malicious actors. Be sure that vendors are not using insecure protocols, such as RDP or Telnet for accessing systems that have access to your data.
Don’t neglect business viability
The reality is that our financial markets are unstable because of the COVID-19 outbreak. While the government has taken swift action, some companies may not be able to weather the storm. Businesses should have candid conversations with critical vendors about the financial impacts on their business and their ability to provide ongoing support. Contingency plans should be created to replace vendors that are considered high-risk in the event they are unable to fulfill their commitments.
Control what risks you can
Eliminating all vendor-related risk is impossible. But by involving your key vendors in your business continuity planning and management processes, you’ll have a solid footing in even the most disruptive emergency. It is management’s responsibility to oversee risks associated with outsourced relationships. At the end of the day, you can outsource responsibility, but not accountability.