Your Third-Party Vendor Inventory is Incomplete (And You Don't Know It)

By Chris Murphey

In recent blog entries, we’ve explored the connection between vendor risk and brand reputation, as well as how critical vendor assessments are for managing risk. And yet, half of the organizations we surveyed assess less than 15 percent of the vendors they work with. In other words, they’re leaving up to 85 percent of their third-party risk unassessed.

In reality, the number of completed assessments is probably even lower. Organizations polled in the survey only provided responses in relation to the third-party vendors they actually know about. Unfortunately, there’s a whole ecosystem of third-party vendors that fly under the radar for most organizations.

Bringing the Bigger Picture of Third-Party Vendors into Focus

The bigger picture of the third-party vendor ecosystem is blurry for most organizations because they generate their vendor inventory only using data from procurement. On the surface, this makes a lot of sense. The vendors you work with need to be identified, RFPs need to be reviewed, contracts awarded, and new vendors brought on board. The procurement team maintains a list of seemingly everyone your organization works with, so their list should be the list when it comes to your third parties.

Unfortunately, their list is usually incomplete, and here’s why.

What you’re not considering is the fact that third-party vendors can be secured through travel and expense (T&E) or purchasing cards (P-Cards), which is a pretty common way to pay for incidental expenses in most organizations. The procurement team may receive a bill from American Express or whatever financial institution administers the card. AMEX then appears as the third party vendor. However, in reality, that expense may not be AMEX; it may be a third-party vendor, one that has access to your organization’s data.

The convenience of that T&E system has created third-party risk, and it’s risk you don’t even know about because your vendor list doesn’t include the actual vendor.

How SurveyMonkey Got Its Hands On PHI

Let’s look at a hypothetical example of how T&E expenses can lead to an incomplete vendor list that introduces risk. A security team wants to know what parts of a healthcare organization are handling patients’ protected health information (PHI). To keep it simple, they purchase a SurveyMonkey subscription (or worse, use a free trial account), build a simple survey, and send it out to the department stakeholders.

Response rates are great, and leaders on every team share details on how their teams interact with PHI. In the spirit of being helpful, some even share examples of that data, real-life examples, using real-life information from actual patients.

That helpfulness has created a security issue! In our hypothetical example, SurveyMonkey now has access to that PHI submitted in the survey response. It was unintentional, but it still happened. However, since AMEX—and not SurveyMonkey—appeared on the bill, the procurement team’s list doesn’t include them. No one knows that they should be monitored.

Similarly, consider bank and payment transactions with companies like PayPal. The fee they collect is just part of the transaction—you didn’t really sign up with them to be a vendor, you’re using them for a service. Nevertheless, they should be part of the ecosystem you monitor…and it’s likely they are not.

Of course, it’s not just SurveyMonkey, AMEX and PayPal; these are specific examples to illustrate a very common occurrence. Third-party vendors have a way of tiptoeing by your vendor list and escaping your notice.

Building a Better Third-Party Vendor Inventory

If this article has made you a little nervous, good. Insight and awareness of better vendor risk management practices at one organization should encourage self-reflection and expose opportunities for improvement, which should in turn cascade and help all of us in general. 

One approach that has helped me in the past is to use data loss prevention software (DLP). It can give you a 30,000-foot view of your buying channels by doing things like scanning large files in emails to look for number formats that could be credit cards, social security numbers or other identifying information. It’s a good last line of defense to identify vendors you may not have contracts with, but who should be on your third-party vendor list. However, even DLPs aren’t foolproof. If information is scanned into an image file through an OCR, it’ll escape the DLP’s notice.

The bottom line is that it’s time for a more systematic approach to building third-party inventory, which is the cornerstone of third-party risk management. You can’t improve what you don’t measure, and you can’t measure something if you don’t know it exists. 

This entry is part of our “…And You Don’t Know It” series designed to uncover common GRC challenges you may not have considered.  If you’d like to learn how Rsam can help you build a better vendor inventory, you can request a demo of the Rsam’s Vendor Risk Management solution