Managing Cyber Risk for Your Small and Medium-Sized Vendors

Why Your SMB Vendors Require a Different Approach

Gaining confidence in your 3rd party risk management program includes the ability to scale easily and include your full vendor ecosystem - not just the few vendors perceived as the most critical.  Small and medium-sized vendors (500 or fewer employees) represent over 99% of all U.S. businesses (SBA), and odds are that your organization has a large percentage of SMB vendors. Any one of them could be the weak link in your company's security infrastructure.

Traditional approaches may work well for your larger vendors, but don't work for SMBs for the following reasons:

  • Security questionnaires are not "one size fits all"; SMBs may not have the right tools to accurately or completely respond
  • On-site security audits are cost prohibitive for the hundreds - or even thousands - of SMB vendors you may do business with
  • External-only evaluations are only one view of security, and SMBs often don't have a footprint that can easily be detected

So, what is the right approach for your SMB vendors?  An assessment program that its scalable, fast, cost effective, and one that has been designed specifically for their unique infrastructures. 

SMB risk profiles need objective validation.

The only way to ensure your vendors meet a baseline of security is to gather validated data from internal security controls.  It's easy to answer "yes" on a security questionnaire. It's easy to look "good" from the outside when the only discoverable presence online may be a public facing website.  However, with the ability to programmatically audit internal security controls - developed from best practices such as the Australian Signals Directorate, CIS, SANS 20 - CISOs and Risk Managers can have objective, validated information regarding the actual security postures of their SMB vendors.

SMB risk profiles change more often than large company profiles.

Larger companies tend to have more stable risk profiles compared to SMBs, and change very little over time. The maturity of their IT infrastructure and security policies provide more stability and oversight.  A small or medium-sized company, on the other hand, may be in hyper-growth mode, or employ a "BYOD" - bring your own device - policy, and as such, what little security is defined or required may be sporadic in implementation or forgotten altogether.

SMB vendors are being targeted.

Cyber criminals are looking for the easiest way in with the biggest payout.

SMB vendors are being targeted because they typically have a lower security posture, and not necessarily because of the value of their own digital assets. They're being targeted because they're the easiest vector into their enterprise partners. Target, Home Depot, Goodwill, Lowes, and many others, were all breached through a third-party vendor. In fact, 67% of the breaches in the Fortune 1000 that took place last year were through third party vendors and suppliers.  [need citation]  

According to Symantec's Internet Security Threat Report, 2016, SMBs (<250 employees) are increasingly being targeted by spear-phishing attacks. As an overall percentage of companies being spear-phished, SMB's have grown from 18% of all businesses in 2012 to 43% in 2015.   As well, the number of spear-phishing campaigns targeting employees grew 55% in 2015.  

And it's working.  Based on a June 2016 research report from Ponemon Institute, LLC, 2016 State of Cybersecurity in Small and Medium-Sized Businesses (SMB), 50% of SMB companies reported a data breach in the past 12 months.

Why External Assessments Alone are Not Enough

More than 80% of cyber attacks are due to weaknesses with internal security controls.*

Some vendors may look good from the outside, others not so much. Still, you can't base your decision to trust your vendor's security posture based solely on an external risk assessment: both external and internal assessments are necessary. Use the external score to further define your risk management process and prioritize your vendor audits.  Use the internal score to ensure a baseline of security is met across your extended enterprise.

Even if a vendor looks good on the outside, there's a greater likelihood that they will not have a good internal security posture.

External assessments provide an initial view into how vendor organizations approach their information security program from a public-facing perspective—similar to what an external adversary might see if they were to probe to uncover a vendor’s security posture to see if they might be a “ripe” target. External assessments can be used to provide the initial view of risk so additional audits, and measures, can be taken.


Internal Assessments are oftentimes initiated with a questionnaire for vendors to describe their security posture. While valuable, questionnaire data must be augmented with an assessment of validated security controls to verify questionnaire responses and uncover additional security gaps.  Internal assessments provide the real view of what's happening inside the organization, well beyond an external assessment or just the self-attested questionnaire.


Assessing Your Vendor Risks: Internal vs. External

A DatumSec White Paper

Many organizations have well-defined processes to assess the security posture and business risk presented by their largest vendors. Unfortunately, however, those processes may not be sufficient to properly assess every vendor tier where a good chunk of risk likely exists. More specifically, most tools and processes fall short when it comes to extending third-party vendor risk assessments to handle the smaller (tier 2 and tier 3) vendors, service providers, contractors, and consultants. Size-based filters and a simple outside-in approach isn’t sufficient.


Assessing & Mitigating Security Risks from Small & Mid-Sized Suppliers

A DatumSec White Paper

Every vendor represents a potential security risk to your organization. Whether it’s a small specialized law rm, a local value-added reseller delivering technology and providing services, a consultant dedicated to your industry, or an o-shore Web developer, it’s important to understand those risks—and make the best possible decisions before they touch your infrastructure, your systems, and your data.