December 13, 2019

Last Updated on June 17, 2024

Managing vendor risk effectively can demand significant planning and resources. Many small to medium sized businesses (SMBs) lack the expertise and employee bandwidth to tackle the problem in-house, so they’ve put off addressing it.

“Far better to find out through vendor risk assessments than through a data breach that you’re sharing data with vendors that can’t adequately protect it.”


In fact, according to Ponemon, 70% of SMBs don’t even have a comprehensive inventory of all the third-parties they share sensitive data with, let alone a program to mitigate the associated risk. Yet parallel Kaspersky research shows that incidents impacting the IT systems of vendors are the costliest type of data breach for SMBs.
If your business is in the dark about—and thus significantly exposed to—vendor risk, lets dive into why it’s important to act (and quickly).
QUICK DISCLAIMER… we do not believe in fear mongering, we think its our responsibility to keep you informed so you can make the best decision for you and your business. With that out of the way…

  1. You’ve got more vendors than ever to worry about. Your employees are moving more and more sensitive data to SaaS applications hosted by third-parties without sanction from your IT function, and this data is highly vulnerable to cyber attack. Most estimates put shadow IT at about 40-50% of total IT spending. Meanwhile, Gartner estimates that in 2020 one in three successful hacks on enterprises will target shadow IT assets.
  2. Regulators and other stakeholders are increasingly demanding that SMBs manage vendor risk. A handful of the increasing number of regulations mandating vendor risk assessments include the HIPAA Security Rule, GDPR, OCC Bulletin 2017-21 and NY DFS 23 NYCRR 500. Customers and other stakeholders likewise expect vendor risk management to be part of a reasonable security posture, and therefore a prerequisite for doing business. Further, any SMB that hopes to meet client demands for security attestations like ISO 27001 or SOC 2 will need to have at least a basic (if not robust) vendor risk management program in place.
  3. Data breaches targeting vendors are escalating off the charts. Ponemon’s most recent study on “third-party risk in the outsourced ecosystem” reveals that 61% of US businesses reported experiencing a data breach caused by a third-party. Hackers are well aware that vendors (e.g., SaaS providers) often have lax security practices, and that their clients are all too often ignorant of the resulting information security risks.

Far better to find out through vendor risk assessments than through a data breach that you’re sharing data with vendors that can’t adequately protect it. If you know you need vendor risk management but are wondering where to start and what a workable program would look like for your organization, contact Pivot Point Security. We specialize in helping SMBs achieve practical, reliable and cost-effective vendor risk management.