August 12, 2024
Vendor management is at the forefront of every business’s mind considering the recent challenges faced by CDK Global and Crowdstrike. One major concern for businesses is being impacted by outside hostile parties and another is being impacted internally by (hopefully) unintentional error. Something as simple as an open vulnerability in a network or accidentally pushing a faulty update doesn’t only impact your own business anymore but can hurt outside parties as well. We are globally connected through various vendors, service providers, and software. The scale of these outages continues to grow.
When a vendor fails to perform as expected potential profits are lost and employees are forced into high-stress scenarios. Current estimates indicate that because of the CDK Global outage caused by a ransomware attack resulted in lost profits of over $1 billion for dealers. During the outage, dealer accounting departments were resigned to tracking sales and activity on paper, hoping that sufficient detail was recorded by salespeople and technicians to catch up once activity accurately when back online. The CDK Global outage lasted almost a full month and will leave a lasting health, mental and emotional impact on the employees who managed the difficulties and stress for much longer.
The Crowdstrike outage conversely was caused by a problematic update that impacted 8.5 million Windows devices across the world. A much more diverse population of businesses were impacted with flights grounded and many more businesses twiddling their thumbs while IT professionals everywhere scrambled to get employees back online and productive. Current estimates for losses as a result of the Crowdstrike outage are $5.4 billion. This means that in the span of a little more than a month and a half, over $6.4 billion was lost due to these two events.
The cause of these two outages could not be more different. CDK Global was infiltrated through vulnerabilities resulting in a ransomware attack, with Crowdstrike performing inadequate quality assurance testing on updates prior to pushing to production. Vendors and businesses alike make mistakes. Nobody is perfect, but businesses need to hold vendors accountable as well as vendors holding businesses accountable. There is a very real and monetary impact from outages, poor management, and insufficient or poorly operating controls. One control businesses can utilize to stay on top of vendors is through performing due diligence in selecting vendors and then subsequently reviewing vendors. Vendors should be reviewed at least annually in the absence of problems and concerns. Whenever outages or inadequate service do occur it is also prudent to review the relationship with your vendor and evaluate whether or not they will be able to continue to meet your expectations and needs. As we become a more and more connected world, outages and problems such as these will continue to increase in frequency and scope. In order to stay on top of your relationships and business, we recommend the following vendor checklist as part of your vetting and renewal process.
See the attached Vendor Management Inventory Template to utilize in developing your own unique and appropriate vendor management process. The more prepared we are for the outages which will come, the faster and more prudently we can overcome them.