Skip to main content

Best Practices for Securing Vendors

By Corvus Threat Intel & Risk Advisory
1 minute
Last Updated February 25, 2021
Cybersecurity 101

Key factors in securing vendors

Most organizations are in the midst of a decade-old shift to deeper integration with managed service providers, software-as-a-service tools, and other cloud-based software solutions. But with that shift to reliance on vendors, attackers have a new target. Attacks on IT managed service providers (MSPs) increased 185% in 2019 according to Crypsis, and MSPs are being called a “worrying new frontier” for ransomware. In a survey of 600 companies, 44% reported experiencing a vendor-caused breach. And in May 2020, a ransomware attack on Blackbaud, a widely used cloud services provider for nonprofits, had broad implications for thousands of organizations. More recently, an advanced (likely nation-state) supply chain attack on the software vendor SolarWinds has left thousands of organizations (and government entities) vulnerable.

Getting started

  • Do you have an inventory of your most critical suppliers or vendors?
  • Does your inventory detail the type of information that the vendor has access to or holds for your organization?
  • Rank your vendor list in order of importance (based on level of access to data or holding sensitive company data).

Vendor vetting

  • Look for vendor attestations as to their security standards (AICPA’s SOC1 & SOC2 ISO 27001/27018, CSA STAR, FedRamp, C5, TRUSTe, PrivacyShield, DPA, etc).
  • Consider a Third-Party Risk Management software solution such as Third-Party Trust.
  • The Shared Assessments Program’s Third-Party Risk Management (TPRM) Framework is designed to provide guidance for organizations seeking to develop, optimize and/or manage Third Party Risk by incorporating a wide range of best practices into their risk management program.
    • The Framework also provides guidance about how to implement meaningful incremental improvements in TPRM practice maturity in organizations where resources may be constrained.
  • Do your vendor contracts contain security-related provisions (data breach notification, data handling, etc.)?
    • Discuss vendor contract provisions in a free one-hour consult with Beckage Law (you can request this by emailing the Risk & Response Team).

Recommended blogs

Record Ransomware Attacks: June 2023 Highest Month Ever

Black Basta Ransomware Has Extracted Over $100 Million From Victims

March 2023 Sees 60% Increase in Ransomware Attacks

Record Ransomware Attacks: 6-Month Upward Trend Continues in July

Identify, Attract & Retain: 3 Steps to Solve Your Cyber Talent Problem

Recent articles

Recent articles

Navigating Business Continuity and Disaster Recovery

The actions you take in the first 48 hours of a business disruption set the stage for recovery. Our guide to BCDR can help get you started.

6 minutes

Recent articles

Best Practices for Managing Cyber Risks in Open-Source Software

Discover key strategies to mitigate cybersecurity risks in open-source software such as vetting standards, compliance, and the role of cyber insurance.

3 minutes

Recent articles

A Guide to Mitigating Infostealer Malware

Threat actors are increasingly using infostealer malware to infiltrate and exploit digital systems. Here's what you need to know.

5 minutes
Explore more articles