IRMI Online Talk With Us
Home Articles Expert Commentary Avoiding the "Set-It-and-Forget-It" Mindset: Third-Party Vendors and Cyber Security
Cyber and Privacy Risk and Insurance

Avoiding the "Set-It-and-Forget-It" Mindset: Third-Party Vendors and Cyber Security

Mark Lanterman | January 17, 2025

On This Page
unattended open laptop with data on the screen on a counter at a coffee shop

In my last article "Technological Difficulties: The CrowdStrike Update and Cyber Risk," I discussed the operational and financial repercussions of a faulty software update. One update led to mass outages across multiple sectors, prompting legal issues as well as calls for improved quality control practices. In this case, a third-party vendor was directly responsible for the technological difficulties experienced by its clients, though a cyber attack was reportedly not to blame.

But recently, a cyber attack was to blame for a situation that left a huge organization unable to effectively carry out some of its most essential functions. However, it wasn't Starbucks itself that was targeted. CNN reported:

A ransomware attack has disrupted a third-party software system that Starbucks uses to track and manage its baristas' schedules, forcing the coffee chain to shift to manual mode to ensure its employees get paid properly.

Source: Sean Lyngaas, "Starbucks Forced To Pay Its Baristas Manually Because of a Ransomware Attack on Third-Party Software," CNN Business, November 25, 2024.

Starbucks is reportedly just one of many companies that have been affected by the incident.

Cyber Risks from Third-Party Vendors

Both of these events reveal an uncomfortable truth for many organizations: Third-party vendors can have a huge impact on organizational functioning, much larger than some may realize. In our interconnected world, third-party vendor relationships may not always be optional. But in a November 12, 2024, report, 2023 Top Routinely Exploited Vulnerabilities, the Cyberstructure and Infrastructure Security Agency (CISA) suggests that organizations limit "third-party applications and unique system/application builds—provide exceptions only if required to support business critical functions."

That said, when one considers the ever-evolving nature of our technological landscape (for example, the recent proliferation of artificial intelligence applications), it can be easy to see how making this distinction isn't always a clear-cut task. The race to implement new technologies and stay current can sometimes lead to cutting cyber-security corners. This also applies to third-party vendors and onboarding practices; however, current vendors that have evaded newer cyber-security standards may pose just as much risk.

According to the March 2023 update of CISA's Cross-Sector Cybersecurity Performance Goals, the vendor selection process should also prioritize cyber security. In fact, it should serve as a deciding metric when comparing multiple vendors. CISA advises that, "given two offerings of roughly similar cost and function, the more secure offering and/or supplier is preferred."

Organizations are in a better position to make these sorts of determinations during the preliminary stages of vendor selection (the importance of adhering to onboarding policies should not be clouded by a rush to incorporate new technologies), but what about vendors that have been employed for years? Much like legacy technology, existing vendor relationships may not be held to the same scrutiny as potentially new vendors. Deemed to be "tried and true" ("Nothing has happened yet, it probably won't, right?"), these vendors may also avoid the regular assessment and inquiry.

In this sense, it is advisable to consider all third-party vendor relationships as being part of an ongoing "vendor approval process." During security assessments, organizations should also consider the security postures of all third-party vendors with any degree of access to their own data. Depending on the results of this analysis, organizations should ask themselves the following questions.

  • Is this vendor still the best possible match in meeting our needs from an efficiency perspective?
  • From a cyber-security standpoint, is this vendor still the most secure option?
  • If the vendor experiences any sort of technological failure regardless of its origin, will it help us in our restoration efforts?
  • What is the vendor's personal liability in this eventuality, and should we either revise our contract or find another vendor who is more willing to take greater responsibility in the event of a severe problem?
  • What is the business-critical function this particular vendor serves?

Conclusion

The same standards should be applied for all vendor relationships, not only those that are new. Organizations should always be able to ask their vendors the tough questions, regardless of longevity. Policies ought to determine how vendors are expected to alert organizations, not only regarding cyber incidents but also when significant changes are made to their own digital environments or cyber postures. In our interconnected world, avoiding the risks imposed by third-party vendor relationships may not be possible, but a dynamic approach to vendor relationships can help bridge potential security gaps.

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.

IRMI Online