How Many Vendors is Too Many?
29 Mar , 2021
A common risk
For most businesses, having multiple suppliers is so common that its potential role as a security risk is rarely considered.
And yet, as recently as December 2020, one of the world’s biggest corporations was compromised through its IT infrastructure leaving it, and its 18,000 partners, vulnerable to cyberattack.
Having more vendors than you can keep track of is a security risk
Total SE, a petroleum corporation based in Paris, is a behemoth. And you don’t need to know a thing about them to tell: all you have to do is look at their massive, beautiful, almost frightening headquarters. The Tour Total features three skyscrapers smushed together plus a little extra on the side.
Taking in 200 billion dollars every year, Total SE is among the top 30 biggest companies in the world. Significantly, their business involves the use of over 100,000 suppliers.
It’s worth taking a moment to consider. This means that there’s one company out there that sells Total SE equipment for their pipelines, and another that sells them consulting services, and another altogether that delivers water bottles to their office break rooms, with 100,000 more companies doing everything in between.
If the scale of that number still hasn’t sunk in, consider this: if you imagine that every Total SE vendor (each of which might, in reality, employ 1, 10 or 10,000 people) were just one person, you’d still end up with a larger population than that of famous French cities like Avignon, Dunkirk or Versailles.
Total is far from the only corporation of that size. Walmart works with over 100,000 suppliers, as do a number of other major multinational corporations.
Even companies that aren’t multi-billion-dollar global enterprises tend to use more vendors per capita than you’d imagine. According to a 2016 survey from software company Bomgar, the average medium-to-large enterprise’s IT network is accessed by around 90 different vendors on a weekly basis. More shockingly, only a third of respondents (all IT “decision-makers”) were confident that they knew the actual number for their own company, meaning that two-thirds of respondents did not know how many vendors accessed their systems.
Whether 100 vendors are necessary to support a mid-size business, or 100,000 to support a multinational corporation, is a matter for each executive board to decide on its own. What is universally true, for all organizations, is this:
Having more vendors than you can reasonably, consistently keep track of is a major security risk.
Security breaches can cause a domino effect: a case study
Early last December, news broke that FireEye – one of the premier cybersecurity companies in the world – had been hacked. It was the biggest story in the industry all year, for obvious reasons. Hacking FireEye was a bit like assassinating a CIA agent, or beating Michael Jordan in a one-on-one: you just don’t often see the best get beaten at their own game.
But what was most remarkable about FireEye’s story is that it was just the peak – the tippy, tippy-top – of a gigantic iceberg.
Within a week of FireEye’s disclosure, it became clear that this wasn’t just a FireEye hack: FireEye was simply the first to disclose a hack that also affected tens of thousands of other organizations. It reached major companies like Cisco, Equifax and Nvidia, and more U.S. government organizations than you can count on two hands: the Department of Defense, Homeland Security, Treasury, Commerce, Agriculture, you name it.
No longer was this merely the biggest cybersecurity news of 2020. It was the biggest news, the most important hack pulled off in a decade.
This coordinated assault is now commonly referred to as the “SolarWinds attack,” or just “SolarWinds” for short. It’s called that because all 18,000 compromised organizations had one common connection: they shared a vendor called SolarWinds Inc.
SolarWinds is an IT management company. Their software helps other companies keep track of their networks (aiding in, for example, detecting and resolving outages). Over 300,000 companies count SolarWinds among their suppliers, including almost every Fortune 500 company. SolarWinds is the Amazon, the McDonald’s, or the Kleenex of their industry.
But what happens if Kleenex accidentally starts shipping toxic tissues? Suddenly, everyone with a nose is at risk.
In late 2019, Russian hackers first breached SolarWinds through one of their vendors: Microsoft. Once inside SolarWinds, they targeted the company’s flagship product: Orion, planting unique malware that traveled into client networks via a seemingly ordinary software update.
18,000 organizations were breached by the software update, all stemming from one vendor.
Preventing Vendor Risk
The SolarWinds attack was remarkably sophisticated–even companies with fantastic records on cybersecurity nonetheless failed to catch it before it was too late. But make no mistake: SolarWinds was not unprecedented. Supply chain attacks are an established, growing threat in cyberspace because they’re efficient for hackers because of one major Achilles’ heel that SolarWinds made very apparent:
Most companies don’t have the capacity to comprehensively monitor all their vendors.
After all, what mid-size company has the resources to fully monitor 90 vendors popping in and out of their network on a weekly basis? And, even at a company with as much cash and manpower as Total SE or Walmart, is it humanly possible to manage over 100,000 different vendors at once? In either scenario, the minimum requirement is perfection. Because all it takes is one SolarWinds to constitute a breach.
What, then, is the answer here?
For some companies, the solution seems to be more vendors–specifically, cybersecurity providers. Cisco data suggests that a full 13% of companies pay over 20 security providers, and 4% more than 50!
While more security is usually better than less, there’s fault in this logic. For one thing, cybersecurity isn’t a matter of simple addition, and redundancy can be counterproductive. For another, while cybersecurity companies are more secure than most, they’re not invulnerable. If FireEye, Malwarebytes, and Palo Alto Networks can all be hacked, then no institution on the planet is totally safe.
That’s why companies should be aware of third-party risk, and diligent about each new supplier that they add to their lists. In all likelihood no individual company will cause a problem and yet, collectively, too many vendors can create compound security risk. Any suppliers in excess of what a company can reasonably, closely manage, is one supplier too many.
Luckily, this is one of the few problems in the universe of IT where greater security actually comes with reduced cost, as paying fewer vendors both collapses attack vectors and cuts zeros off balance sheets.
What you can do to minimize risk
If your organization is serviced by more vendors than your team can feasibly keep track of, it may be within your interest to audit your vendors for redundancies and risk.
Consider where your vendor is in your pipeline, and whether their access to your servers should be terminated or reassessed.
No matter the size of your business, it is never too early or too late to manage your system’s security.
[AUDIT YOUR VENDORS]
