Vendor-Centric Risk Management

The road to keeping your company’s information secure and safe from hackers starts with your suppliers

By Bridget McCrea

Image of Vendor-Centric Risk ManagementGetting out in front of organizational risk – and staying in front of it – can be a monumental task in today’s business environment. Supply chain disruptions, vendor insolvency, geopolitical events and even minor ordering glitches can all take their toll on even the best-laid risk management plans. The good news is that electronics buyers are in the perfect position to not only help identify areas of potential risk but also ward off problems that could be lurking around the next corner.

Jason James, vice president of Risk Advisory Services, Evantix GRC, LLC, Newport, Calif., says even the most risk-averse, prepared firms are open to supply chain risk. A large security firm whose servers are compromised by hackers looking to steal encryption keys, for example, could be exposing those keys to criminals who then use the stolen data to hack into large organizations.

Image of Jason James, vice president of Risk Advisory Services, Evantix GRC, LLC, Newport, Calif.
Jason James, vice president of Risk Advisory Services, Evantix GRC, LLC, Newport, Calif., says even the most risk-averse, prepared firms are open to supply chain risk.
“This is just one example of how a company that provides information to other entities (which perform services for the former) exposes itself to potential risk,” says James. The same philosophy can be applied at the purchasing level, where buyers typically surrender at least some sensitive organizational data when setting up contracts, establishing accounts, issuing purchase orders and paying invoices.

Thwarting potential problems

James says vendors are a good first stop on the path to solid risk management because highly organized cyber-criminals (typically located in Eastern Europe or Asia) know that American companies share intellectual property with their suppliers.

“It’s a lot easier for them to attack your vendors than it is to do it directly to your organization,” says James. The problem, he notes, is that in most cases it isn’t your supplier that’s faulted for any breaches – it’s your company. Using the financial industry as an example, consider the fact that after a major breach at a national bank the spotlight is usually put on the bank itself – not on the vendors that it works with.

“Procurement has to understand that just because you don’t hear about problems at the vendor level, that doesn’t mean security breaches aren’t happening at that level,” James explains. “It means the press just doesn’t know or care about what’s going on behind the scenes.”

How secure are they?

To avoid potential risk when sharing information with vendors, James says a good first step is to look at just how secure your vendors are and what processes they’re using to protect the data stored on their computers, servers and even mobile devices. “This is the time to turn to your own firm’s security team/IT department and let them know you’re assessing vendors,” says James, “and ensuring that these suppliers use security that’s as good as (or better than) yours.”

In most cases, a firm’s security team will approach the issue by sending out assessments, which in turn will highlight any problem areas and indicate whether further inspection is needed before the business relationship launches.

“In some cases, a visit to the supplier’s site to observe the security functions will be warranted,” James adds. Such visits can be extremely revealing – particularly when the prospective supplier is a new or very small organization. “What you’re looking for is a clean bill of health issued by your own IT department,” James explains.

“Don’t expect to get it if your supplier is working from a garage and has IT equipment stored in an adjacent bedroom. If the security is that weak, then that’s not a company you want to be doing business with,” says James.

Asking the tough questions

In 25 Questions to Ask Yourself About Your Procurement Risk Management Approach, sustainable business community 2Degrees calls risk “omnipresent” but also acknowledges that without some level of risk, business as we know it might not exist either. Here are the top supplier-related risk management questions that companies should ask themselves (read the full list here).

  1. You'll want to create an overall risk picture of the risk to your suppliers. Exactly how do you define suppliers to the business? Do you split your business risk and procurement risk into separate silos, or are they merged?
  2. Is your supply chain dynamic? Have you developed flexible operations, a diversified supplier portfolio, global visibility and options to scale?
  3. Do you know who your partners are and what their operational and financial risk profiles looks like? Which third-party vendors and counterparties are there?
  4. If you are counting on supplies from a vendor, what happens if you don’t get those raw materials?
  5. What risks should be captured? How are they going to be assessed and measured? Do you link your risks with your company's dark spots and general business objectives, or is it purely done to ensure compliance?

Disclaimer: The opinions, beliefs, and viewpoints expressed by the various authors and/or forum participants on this website do not necessarily reflect the opinions, beliefs, and viewpoints of Digi-Key Electronics or official policies of Digi-Key Electronics.