July 12, 2018 By Kevin Beaver 3 min read

It’s such a great feeling to check a box on your vendor security checklist. You establish a relationship with a third party — check! You meet another regulatory requirement — check! Once you’ve marked down every item and an audit turns up a clean report, the sales deal is done.

All parties involved can then go merrily on their way… until a malicious actor uncovers a security flaw that was overlooked amid all the handshakes and paperwork that went into the deal.

This security approach is especially prevalent in vendor management: One side says all is well — and the other takes this claim at face value without vetting it. This approach is not good for security, and it’s certainly not good for business.

Navigate Common Vendor Security Roadblocks

The most common (and dangerous) approach to vendor security happens when a company asks a third party for a copy of its latest vulnerability assessment or security operations center (SOC) audit report. Many people go through the motions to obtain these reports and check the box without considering how both documented and undocumented issues truly impact security.

In some cases, people are willing to look the other way or make dangerous assumptions — they’ve got to keep the business going, after all. Then, there’s the reality beyond the report. Clean reports, especially around SOC audits, are common. If there are any findings, it’s often an administrative issue related to user account management or data backups, but nothing of real substance that’s going to facilitate an incident or breach.

It’s also common for vendors to provide more in-depth vulnerability and penetration testing reports that are clean (or, at least, have minimal areas of concern). These reports are often based on network vulnerability scans that do not look at the entire IT environment — not an in-depth web application analysis.

When presented with these reports, it’s easy to overlook things like missing patches on workstations, SQL injections on web applications and misconfigured guest wireless networks. Instead of acknowledging these patch-management and security-awareness gaps, many business leaders just move on to the next big thing and sweep security under the rug.

When Talking Security, Don’t Beat Around the Bush

When it comes to security, there’s often a lack of ongoing involvement and oversight. It’s obviously important to keep the business running, but too many decision-makers assume security controls are sufficient to counter cyberattacks simply because someone else told them so.

It’s good to maintain a positive relationship with your vendors, but not at the expense of long-term cybersecurity.

It’s similar to a doctor giving a patient a clean bill of health even though he or she is masking symptoms with medication. Although the bloodwork may look good, the patient is bound to have long-term health problems unless he or she makes better lifestyle choices. Many security programs follow the same path — especially when it comes to vendor management — and it’s a recipe for an unsustainable outlay of data breaches.

Part of the challenge is that people are sometimes afraid to ask questions. They want to appear professional and nice, and this often causes them to gloss over uncomfortable subjects — namely, security. It’s good to maintain a positive relationship with your vendors, but not at the expense of long-term cybersecurity. This seems simple on the surface, but when organizational politics and high-value business deals are involved, everything gets more complicated.

Adopt a Trust-But-Verify Approach to Vendor Management

Vendor management is a hot topic today — and one that many enterprises struggle with. It doesn’t have to be terribly complicated, but it does have to be near the top of your information security program priorities. While it’s important to do right by your vendors, it’s more crucial to do what’s best for your business. That means looking beyond the paperwork, basic vulnerability checks and blind faith that the company is secure simply because someone else said so.

The best way to handle vendor security is through the old-school approach of trust but verify. Talk is cheap — and people are expedient, especially when big business deals are on the line. Try to step back and see through all the talk to truly understand what your vendors are doing.

When the going gets rough and the lawyers get involved, that’s the only defensible strategy.

Listen to the complete podcast series: Take Back Control of Your Cybersecurity now

More from Risk Management

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today