#5 Third-Party Vendors
Vendors
So let me get this straight… A very obvious external function is going to be labeled as an internal threat?
...Yes?
OMG...
Hear me out. Third parties are technically external; however, some organizations provide them with similar trust and access as internal entities once they are onboarded and integrated into operations and other critical workflows. What are the indications that they are treated like internal entities? Let’s start with:
Lack of Due Diligence Follow-up & Ongoing Monitoring
Just like an internal, trusted workforce member or service, many third parties are left to operate with no follow-up due diligence for the rest of their tenure in the organization. Should this be the case? Heck no.
The reasons why they get this treatment vary. Sometimes it’s because there aren’t enough resources to track vendors. Once the original onboarding due diligence (CQIA, SOC-2, Security Questionnaire, Risk Review, Document Review) concludes, ongoing monitoring and annual attestation verification are often required. Ensuring that the vendor's processes and services remain in compliance is essential.
Unfortunately, many security and compliance programs (and Legal teams, for that matter) lack the bandwidth to follow up constantly with a vendor that has been performing services for years.
Some organizations maintain hundreds—if not thousands—of vendors. Besides the initial assessment and review, it’s essential to ensure that controls, reporting, audits, vulnerability reports, penetration tests, and coding requirements align with risk thresholds, especially for technology-focused vendors.
In situations where the vendor has access to critical systems or provides a critical function, this can lead to disaster—literally. That’s why ensuring vendors take part in your Disaster Recovery and Business Continuity Exercises can help reduce losses.
Events that resemble SolarWinds or CrowdStrike outages don’t happen in a vacuum. They are warning shots across the bow, highlighting that adequate governance and requirements are not in place.
Shadow Vendors:
A third of the departments responsible for this threat were listed in our previous article on how Compliance/Infosec groups contribute to the lack of oversight with Shadow IT. It is these third parties that manifest the risks. Unauthorized third-party tools used without approval are a growing menace.
Maybe a tenth of your organization is hell-bent on using Slack instead of Teams. Maybe half of the company never transitions from Zoom to Teams for web conferencing.
Let’s say some random employees set up Box, Dropbox, or Google Drive accounts to store certain files for specific workflows. There are even multiple project management tools in use—this goes on and on.
The market provides many different services, and once people are comfortable using them, they often want to keep them for productivity. This behavior can lead some workforce members to sign up for small environments on platforms without authorization.
There are situations in which managers or directors are the ones spearheading this shadow asylum.
Why would that be?
In some cases, they (org people) hate and despise going through an official process to get what they want. They want what they want, and they want it now.
In other situations, they just don’t know the channels to engage in the official procurement process.
Having strong, well-defined technical controls that provide visibility into workforce members creating accounts with the company’s domain and analyzing their traffic patterns can help discover these unofficial services.
It would be ideal if vendors required a security representative to sign off on any organization-related service offerings as a contract requirement. But aye… I get it—why involve security if you don’t have to?
Respect is earned—and unfortunately, it often takes some nasty events to get decision-makers involved. Eventually, they realize that having compliance and security teams as tollgates helps everyone cover their, you know whats.
Some studies report that in larger organizations, Shadow IT can make up 30–40% of IT spending. Even cutting that in half would still amount to a preposterous sum.
They Have Access to Your Data
Data is a pretty big deal, right? If not the biggest, it’s certainly in the top two or three priorities. To be fair, in some companies, the biggest goal is making their leadership filthy rich before they jump to the next trampoline (organization) to rinse and repeat their shenanigans. But data remains a major priority.
Third parties are often trusted to store, transmit, and process our data. Depending on the industry and services provided, some vendors are directly integrated into the core functionality of the primary services companies deliver.
Want to provide insights from datasets but lack expertise in all aspects of Extract, Transform, and Load (ETL)? Ship it to 10 different vendors to add their ingredient to your digital pepperoni!
Is this a problem? It could be. Each third party must be trusted and follow proper data handling processes, systems, monitoring, logging, and procedures. The truth is, if any vendor’s security is inferior to the acquiring company’s, the acquiring company is already at fault.
It is often said—and recommended—that each vendor in the supply chain should maintain equal or better security than the clients they serve.
How much would you bet that this is a widely adhered-to practice?
Customers should know:
- Where their data will be stored
- How it will be stored
- Who will have access to it (and under what conditions)
- What happens to their data upon termination of services
These are the basics.
Discussions around whether vendors are using your data in any way—such as data mining, metadata analysis, or improving their own services—are another matter entirely.
Do we know if the vendor has adequate monitoring, logging, and multi-factor authentication (MFA) to ensure that an insider on their end cannot exploit vulnerabilities outside our control?
When using vendors for staff augmentation, software development, or administrative functions, are we monitoring them as rigorously as we do our internal workforce? Wouldn’t it make sense to apply additional controls to them?
There are many things to consider here, so let’s leave it with this final thought: Are your upstream customers signing off on the use of these vendors when their data or services are involved?
Incident Response & Notification Requirements
Many contracts contain clauses and provisions centered around the detection of events and how long it takes before the client is notified. Occasionally, the contract provides more details about what qualifies as an event versus an incident.
In some cases, agreements must be made regarding when the event or incident is officially classified. The key question is: Does the "notification clock" start ticking from the moment the event is identified, or only after specific conditions are met and it is confirmed as a true incident?
You know what I rarely see in these scenarios, though, after these contracts are executed, and years later everyone is happily basking in the bed of flowers that is business and customer value creation? No one remembers any of the notification requirements when things hit the fan.
Einstein once said that it wasn’t necessary to carry around facts just for the sake of it, as they could easily be found in books. This is often paraphrased as: “Never memorize what you can look up in books.”
The point is—sure, if you know where your contracts are and can reference them when needed, such things are not a problem. However, what happens when every contract you’ve signed contains different promises to different clients and vendors?
Perhaps there was pressure to execute the contract within a tight timeframe. Or maybe a vendor or client insisted on a specific reporting/notification period and refused to compromise.
Let's Wrap this Up.
Vendors are our partners in crime. Okay maybe the wrong choice of words there.. (or are they? wink* wink*)
Vendors are a necessary part of the game. They help organizations create value by bringing in services, tools, skills, and knowledge that can boost what you offer your customers. There are plenty of good reasons to work with vendors. They can be cost-effective, save you time, or give you access to specialized expertise. But here’s the thing: vendors have to be monitored and evaluated constantly, or you’re rolling the dice—and not in the fun way.
The problem is when things slip through the cracks. Vendors can shift from being helpful allies to becoming vulnerabilities that threaten your organization’s ability to deliver value. Non-compliance, sloppy processes, weak data protection, and a general lack of care can creep in without anyone noticing. You also can’t assume that a vendor will always stay true to its original mission, especially when leadership changes. Once the founders or initial champions leave, it’s not uncommon for the new suits to shift gears and prioritize squeezing every last dollar out before moving on to their next carcass(throat clear)…venture. Venture.
This drift in focus can leave you with vendors who no longer care about being exceptional—they’re just passing through. And when that happens, your organization might get stuck holding the bag. If the vendor cuts corners, forgets compliance, or drags its feet on service delivery, it’s your reputation—and sometimes your bottom line—that takes the hit.
In the end, vendors are like house guests. Some of them come in, follow the rules, and help keep things running smoothly. But others show up, stay in the fridge, and leave a mess behind. If you want to keep the fridge stocked and the mess to a minimum, you’ve got to set expectations early and keep an eye on them. Continuous assessments, clear communication, and making sure they’re held to the same standards as your internal team are essential. Because if you don’t stay on top of it, a vendor that once made your life easier can quickly become your biggest headache.
Leave A Reply