What Mid-Market Businesses Get Wrong About Vendor Risk

Most of the breaches we see at mid-sized companies don’t start with the company itself. They start with somebody the company decided to trust. Payroll. The marketing automation tool. The IT shop with a VPN tunnel into the network. Once in a while it’s something stranger, like the HVAC contractor with a login to the building management portal that happens to share a network segment with finance.

This is vendor risk, and most mid-market companies are doing it wrong. Not because they’re careless. Often it’s because the program they’re running was built either for an enterprise with a thirty-person risk team or for a five-person shop with three vendors. The middle inherits the worst pieces of both, and that’s where things break.

A few patterns we see often.

Vendor risk has become a procurement task.

In a lot of mid-market companies, vendor risk lives inside procurement. A questionnaire goes out with the contract. The vendor fills it in. Somebody saves it in a SharePoint folder nobody opens again. Deal closes. Box checked.

The trouble is that the questionnaire describes the vendor on the day they signed. Two years later, after a private equity buyout, two rounds of layoffs, a new platform, and an engineer who left her AWS keys in a public repo over a long weekend, that questionnaire is a museum piece.

You bought a product. You didn’t buy a guarantee that the company selling it would still look the same eighteen months in.

SOC 2 is being read as a verdict.

A SOC 2 Type II report is useful. It doesn’t tell you the vendor is safe to plug into your business, but that’s how a lot of buyers treat it.

Two issues. First, the vendor writes the scope. We’ve reviewed plenty of clean Type II reports that, when you actually read them, exclude the integration the client is using. Second, the report measures whether controls exist and operate against a set of criteria. It doesn’t measure how those controls would hold up against somebody who’s actually trying to get in.

If a vendor’s whole answer to “how do you handle security” is the SOC 2 logo at the bottom of their website, you don’t have an answer. You have marketing.

The big vendors get the attention, the small ones get the access.

Programs at this size tend to be top-heavy. The biggest contracts get the most diligence. Everyone else gets the short questionnaire, or nothing.

Attackers don’t really care about your contract values. They care about which door is unlocked. The Target breach famously came through an HVAC contractor. SolarWinds came through a build server most of its customers didn’t know existed. Kaseya rolled downhill through MSPs into thousands of small businesses that had never heard the name. The small specialty vendor is often the way in.

Try this exercise. Make a list of every vendor that holds customer data, financial data, employee data, or has any kind of access to your network. Now mark which ones have a security program you’ve actually looked at. For most mid-market businesses we work with, the second list is much shorter than the first.

An assessment is not a program

A questionnaire is a snapshot. A vendor risk program is what happens after the snapshot.

Most companies stop at the snapshot. There’s a folder of questionnaires, some from three or four years ago, and the assumption is that the work is done. Meanwhile two of those vendors have had public incidents, one was acquired and migrated its data to a different cloud, and a fourth quietly subcontracted part of its operation overseas without telling anybody.

You don’t need an expensive monitoring platform for this. Often it’s a calendar entry, a few news alerts on the vendor names, and somebody whose job it is to ask a follow-up question when something hits the news.

You probably don’t know what data your vendors actually have.

This is the one that catches owners off guard.

Most companies cannot tell you, with any precision, what’s sitting where. Marketing uploaded a customer export to an email tool last spring. Finance hooked up the bank to a forecasting app. HR is using a recruiting platform that has a year’s worth of resumes, including the W9s with SSNs for contract workers. Each of these decisions made sense to the person making it. Nobody mapped any of it.

When something breaks, the first question from your lawyer, your insurer, and any regulator who shows up is: what did they have? “We’ll have to find out” is not a great answer in that moment.

What we’d recommend:

The fix isn’t complicated. Most of it is process. Tools come later, if at all.

Inventory everything. Not the procurement list, the actual list. Every tool, service, and contractor that touches your data or your network, including the ones some manager spun up on a corporate card last quarter.

Sort by risk. Most vendors are not equal. The ones holding sensitive data or with privileged access are tier one. The plant watering service is not. Put the effort where it earns its keep.

Re-review the top tier annually at minimum. Make it a calendar event so it actually happens. Tie it to budget cycles if that’s what it takes to get it on the schedule.

Write down what data each vendor has. Keep it current. If somebody asked tomorrow morning, you should be able to answer in five minutes.

Plan how the data comes back, or gets destroyed, when the relationship ends. We’ve seen breach disclosures involve a vendor a company stopped working with three years ago.

That’s most of it. Mid-market vendor risk usually isn’t a problem of awareness. The owners we talk to generally know they should be doing more. It’s a problem of where the program lives, what it actually covers, and who’s on the hook for keeping it current.

If you’re not sure where your business stands on that, we’d rather talk through it now than after something happens.

How Guard Street can help.

Guard Street assists companies in creating their vendor risk assessments and management strategy.  We provide an ongoing management service to identify the vendor changes, security risks and remediation plans specific to your key vendors.

Visit www.guardstreet.com/connect to discuss your business’ vendor risk needs and how to address them.