Are third Party Vendors Making Your business vulnerable?
August 12, 2024
Vendor management is at the forefront of every business’s mind considering the recent challenges faced by CDK Global and Crowdstrike. One major concern for businesses is being impacted by outside hostile parties and another is being impacted internally by (hopefully) unintentional error. Something as simple as an open vulnerability in a network or accidentally pushing a faulty update doesn’t only impact your own business anymore but can hurt outside parties as well. We are globally connected through various vendors, service providers, and software. The scale of these outages continues to grow.
External Threats
When a vendor fails to perform as expected potential profits are lost and employees are forced into high-stress scenarios. Current estimates indicate that because of the CDK Global outage caused by a ransomware attack resulted in lost profits of over $1 billion for dealers. During the outage, dealer accounting departments were resigned to tracking sales and activity on paper, hoping that sufficient detail was recorded by salespeople and technicians to catch up once activity accurately when back online. The CDK Global outage lasted almost a full month and will leave a lasting health, mental and emotional impact on the employees who managed the difficulties and stress for much longer.
Internal Deficiencies
The Crowdstrike outage conversely was caused by a problematic update that impacted 8.5 million Windows devices across the world. A much more diverse population of businesses were impacted with flights grounded and many more businesses twiddling their thumbs while IT professionals everywhere scrambled to get employees back online and productive. Current estimates for losses as a result of the Crowdstrike outage are $5.4 billion. This means that in the span of a little more than a month and a half, over $6.4 billion was lost due to these two events.
Consequences for Your Business
The cause of these two outages could not be more different. CDK Global was infiltrated through vulnerabilities resulting in a ransomware attack, with Crowdstrike performing inadequate quality assurance testing on updates prior to pushing to production. Vendors and businesses alike make mistakes. Nobody is perfect, but businesses need to hold vendors accountable as well as vendors holding businesses accountable. There is a very real and monetary impact from outages, poor management, and insufficient or poorly operating controls. One control businesses can utilize to stay on top of vendors is through performing due diligence in selecting vendors and then subsequently reviewing vendors. Vendors should be reviewed at least annually in the absence of problems and concerns. Whenever outages or inadequate service do occur it is also prudent to review the relationship with your vendor and evaluate whether or not they will be able to continue to meet your expectations and needs. As we become a more and more connected world, outages and problems such as these will continue to increase in frequency and scope. In order to stay on top of your relationships and business, we recommend the following vendor checklist as part of your vetting and renewal process.
- Vendor information: Gather information about the vendor, such as their certifications and awards
- Product or service quality: Evaluate the quality of the vendor's products or services
- Reliability and timeliness: Assess how reliable and timely the vendor is
- Industry experience: Determine the vendor's experience in their industry
- Pricing: Compare the vendor's pricing to others
- Customer feedback: Review client testimonials and talk to other customers of the vendor
- Financial stability: Evaluate the vendor's financial stability, including reviewing audited financial statements when necessary.
- Compliance: Ensure the vendor is compliant with regulations, including obtaining and reviewing updated SOC or other compliance reports annually.
- Customer service: Evaluate the vendor's customer service over the past year or based on reviews.
- Business continuity: Verify the vendor has plans in place for business continuity and disaster recovery
- Evaluate significant events in the past year and review vendor response (shutdown, security breaches, acquisitions, etc.)
- Internal stakeholders: Gather feedback from internal stakeholders
See the attached Vendor Management Inventory Template to utilize in developing your own unique and appropriate vendor management process. The more prepared we are for the outages which will come, the faster and more prudently we can overcome them.
James is an Audit Senior Manager at Larson & Company. He specializes in insurance and small and medium-sized business audits and is a member of the Emerging Industries practice group.
LinkedIn