<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=1354242&amp;fmt=gif">

Best Practices for Securing Vendors

Corvus Threat Intel & Risk Advisory February 25, 2021

Key Factors in Securing Vendors

Most organizations are in the midst of a decade-old shift to deeper integration with managed service providers, software-as-a-service tools, and other cloud-based software solutions.  But with that shift to reliance on vendors, attackers have a new target.  Attacks on IT managed service providers (MSPs) increased 185% in 2019 according to Crypsis, and MSPs are being called a “worrying new frontier” for ransomware. In a survey of 600 companies, 44% reported experiencing a vendor-caused breach. And in May 2020, a ransomware attack on Blackbaud, a widely used cloud services provider for nonprofits, had broad implications for thousands of organizations.  More recently, an advanced (likely nation-state) supply chain attack on the software vendor SolarWinds has left thousands of organizations (and government entities) vulnerable.

Getting Started

  • Do you have an inventory of your most critical suppliers or vendors?

  • Does your inventory detail the type of information that the vendor has access to or holds for your organization?

  • Rank your vendor list in order of importance (based on level of access to data or holding sensitive company data).

Vendor Vetting

  • Look for vendor attestations as to their security standards (AICPA’s SOC1 & SOC2 ISO 27001/27018, CSA STAR, FedRamp, C5, TRUSTe, PrivacyShield, DPA, etc)

  • Consider a Third-Party Risk Management software solution such as Third-Party Trust.

  • The Shared Assessments Program’s Third-Party Risk Management (TPRM) Framework is designed to provide guidance for organizations seeking to develop, optimize and/or manage Third Party Risk by incorporating a wide range of best practices into their risk management program.

    • The Framework also provides guidance about how to implement meaningful incremental improvements in TPRM practice maturity in organizations where resources may be constrained.

  • Do your vendor contracts contain security-related provisions (data breach notification, data handling, etc.)?

    • Discuss vendor contract provisions in a free one-hour consult with Beckage Law (you can request this by emailing the Risk & Response Team).

Recommended Blogs

March 2023 Sees 60% Increase in Ransomware Attacks
Ransomware Groups Want to Exploit Your File Transfer Software
Black Basta Ransomware Has Extracted Over $100 Million From Victims
Record Ransomware Attacks: June 2023 Highest Month Ever
Highlight Reel: Our Most-Read Blogs of 2022

Recent Articles

Q3 Cyber Threat Report: The Ransomware Ecosystem is Increasingly Distributed


Ransomware attacks remained high in Q3 2024, with groups targeting sectors like Construction and Healthcare, often exploiting weak VPN credentials.

Q2 Cyber Threat Report: Ransomware Season Arrives Early


In this report, our threat intel team highlights our critical cyber threat and ransomware findings from Q2 2024 and what it means for the threat landscape.

Global IT Meltdown: CrowdStrike Software Update Causes Broad Outages


On July 19, 2024, the world woke up to a massive IT outage caused by cybersecurity firm CrowdStrike that affected numerous industries across the globe.