Vendor risk management: A guide for IT leaders (free PDF)
Adopting the right vendor risk management process can go a long way toward guarding against third-party data breaches. This ebook looks at current VRM technology and what to consider when choosing a VRM platform.
From the ebook:
Vendor risk management (VRM) is not a new concept. My article 5 best practices for reducing third-party vendor security risks looks at several ways to mitigate the risk of data breaches caused by third-party vendors. However, in that article, I was remiss in not defining VRM. Here’s an excerpt of the definition from Gartner’s IT Glossary:
“Vendor risk management (VRM) is the process of ensuring that the use of service providers and IT suppliers does not create an unacceptable potential for business disruption or a negative impact on business performance.”
Cybercriminals’ favorite attack vector
Third-party vendor (TPV)-initiated data breaches are becoming the go-to attack vector for cybercriminals. Ponemon Institute’s third annual (2018) Data Risk in the Third-Party Ecosystem report adds credence to this information:
“Fifty-nine percent of respondents confirm that their organizations experienced a data breach caused by one of their third parties and 42 percent of respondents say they had such a data breach in the past 12 months.”
The best practices mentioned in my previous article still apply today, but cybersecurity pros now have much more experience, and they have additional thoughts about TPV security, in particular ideas on how to use VRM to curtail that avenue of attack.