Is Your Vendor a Security Risk? A Look at Vendor Risk Management

What if the biggest security risk your company faced was from an employee at a trusted vendor company?  Third party risk management, or vendor risk management, is an emerging cybersecurity practice that larger companies are using to mitigate the risk that smaller, network connected third party and vendor companies can represent.

The classic example of the dangers a vendor can bring to another company is the 2013 Target Christmas Hack.  The original location of the breach was the remote monitoring network connection that an Ohio based HVAC company had with Target to manage refrigeration and air conditioning systems.  Following this breach, many large companies began looking at the security policies and practices of their smaller vendor companies.  What was discovered, of course, was that most of these companies did not have any formal security policies or procedures.

If you own or manage a small business and you are in the supply chain of a larger company, you have undoubtedly received a letter or email from the cybersecurity team of this large customer asking you for a review or audit of your cybersecurity program.  If you are in the DOD supply chain, you have been required to comply with NIST SP 800-171 and DOD 858201p.

This is a list of the scrutiny to which you may be subjected.  Remember, the client firm is making a determination as to the fitness of your company to continue a vendor relationship.  You could end up losing your customer if you are not meeting their expectation for cybersecurity compliance.


  • This may include a financial records audit.
  • A review of data transactions and data processing.
  • Regulatory compliance with any government (HIPAA, GLBA) or industry (PCI-DSS) regulations that may apply to your business.
  • Basic and advanced security policies and compliance.
  • Computer acceptable use policies
  • Computer incident response plan (CIRP)
  • Interviews with key personnel.
  • And most certainly it will include a network vulnerability assessment or penetration test.

Due Diligence

The mistakes your company may make will impact the client.  Remember it was Target that was sued, not the HVAC company.  After they initial screening they will want the following:

  • Ongoing security monitoring.
  • Ongoing security due diligence.
  • CIRP tabletop simulations with client IT staff present.

Secure Access

To ensure that communications between your vendor company and the client are secure, expect to be required to use the following techniques.

  • Two factor authentication
  • Permission based network segmentation and access.
  • Use of secure connections such as VPNs
  • The presence of security devices on your network, such as firewalls, intrusion dection and prevention devices (IDS or IPS), unified threat management platforms such as AlienVault.


Part of the requirement stack that your client will require from your organization is an ongoing monthly, quarterly, or annual cybersecurity awareness training program.  This can include.

  • Phishing simulation
  • On-site live, online, or video training
  • CIRP tabletop simulations with your internal staff only.

This is the sort of examination is what you can expect to see from larger key clients this year, if you have not been subject to them already.  It can be expensive to set up a security program that complies with their requirements, but in the end this will protect not only your client, but other clients, and your own business from intrusion, disruption, and financial loss.

More information:

Complying with NIST 800-171 and DOD 858201p


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Owner of the WyzCo Group Inc. In addition to consulting on security products and services, Bob also conducts security audits, compliance audits, vulnerability assessments and penetration tests. Bob also teaches Cybersecurity Awareness Training classes. Bob works as an instruction for CompTIA’s non-profit IT-Ready Program in the Twin Cities. IT-Ready is a tuition free 8-week program designed to teach students of all ages the fundamentals of IT support to prepare them for an entry level position in Information Technology Support. Graduates of the classes take the exams to become CompTIA A+ certified. Bob is a frequent speaker at conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. Bob has been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.