Free Trial
Products Products
MSP360 Backup Backup and Recovery
MSP360 Backup Backup and Recovery
Overview
back up DATA FROM
Windows VMware/Hyper-V MacOS Microsoft 365 Linux Google Workspace
BACK UP DATA TO
AWS Google Wasabi Azure B2 Local
MSP360 RMM IT Management MSP360 Connect included
MSP360 RMM IT Management
Overview
MONITOR AND MANAGE
Windows macOS Linux
Prevent cyber threats
Endpoint threat prevention and protection (powered by Deep Instinct)
MSP360 Connect Remote Access
MSP360 Connect Remote Access
Overview
Connect FROM
Windows Android MacOS iOS
Connect TO
Windows MacOS
Pricing
Pricing Pricing
MSPs Internal IT
Solutions Solutions
Business type
Industries
MSP IT Departments Small Busness
Healthcare Education
Business type
MSP IT Departments Small Busness
INDUSTRIES
Healthcare Education
use cases
ENDPOINT PROTECTION
Ransomware Protection Endpoint Threatbr
Prevention and Protection
powered by Deep Instinct
Remote Access
Web-Based Remote Access Remote Support Remote Access Remote Work Remote Collaboration
IT Management
Patch Management Monitoring and Alerting Remote Device Management SNMP Monitoring
Backup and Recovery
Server Backup Backup for Windows Backup to AWS Desktop Backup Backup for MacOS Backup to Wasabi File Backup Backup for Linux Backup to B2 Image-Based Backup Backup for VMware/Hyper-V Backup to Azure SQL Server Backup Backup for Google Workspace (GSuite) Backup to Google Cloud Synology NAS Backup Backup for Microsoft 365 (O365) Back Up Locally Recovery
Not sure if MSP360 is for you?
Request a Call
Resources Resources
MSP University Blog Whitepapers and Assets Videos Webinars Events Customer Stories Forum
Support Support
US-Based Support My Cases Open a Case Knowledge Base Online Help
Partners Partners
technology partners
AWS Wasabi Backblaze Google Cloud Microsoft Azure Deep Instinct
Partners
Resellers Distributors Become a Partner
ALLIANCE PARTNERS
Leet Cyber Security
Company Company
About Legal Information Events Careers Leadership Team Contact Us Trust Center
Blog Articles
Read MSP360’s latest news and expert articles about MSP business and technology

Guide to Vendor Risk Assessment

Guide to Vendor Risk Assessment

There are several types of vendor-related risks that you should be aware of. And although the risk of being compromised due to a successful hack of your vendor or partner is certainly possible, it is among the least probable on that list. In this article, we will overview the main types of risks that you should keep in mind. We will also help you to create a methodology and a workflow to embed vendor risk management techniques to help you pick the best one for the job.

What Is Vendor Risk Assessment?

Contrary to popular belief, vendor risk assessment is not about reading the news in order to find the most recent security breach of a given vendor. It is a complex process of grouping and qualifying vendor-related risks that might potentially harm the interests, security, or reputation of your company.

What Are the Risks?

Before creating a policy and performing the assessment, you should create a list of risks that you will be assessing your vendors for. Here are the typical ones:

  • Security risks. You should check whether or not the vendor of your choice was subject to successful security attacks or was found to maintain leaking databases. Also, if your company operates under a certain compliance, chances are that all your software and app vendors should be certified to work under that compliance as well.
  • Financial risks. Price rises are a common occurrence in today’s world. Thus, you should check the history behind the given vendor to understand their typical practices in that area. Try to avoid asking that vendor’s salespeople, since all you will hear will be their company's position. Go directly to the users on Reddit or any other forum or social media that you prefer.
  • Operational risks. Sometimes, in order to start using a new piece of equipment or app, you have to update or recreate certain workflows in your organization. So, before you go into that long and expensive process, check whether there is a less demanding alternative.
  • Replacement risks. Some data storage and backup vendors tend to keep your data in proprietary vaults, making it almost impossible to migrate. So, you should keep vendor lock-in in mind, since there is always a possibility that you will need to replace the solution in the coming years.
FREE WHITEPAPER
3 Reasons To Pick a Storage-Agnostic Backup and DR Vendor
Take full control of where your data is stored, as well as storage pricing and features
New call-to-action
  • Reputational risk. Lastly, there are reputational risks. Remember what happened to the antivirus giant Kaspersky? It was accused of espionage, and a lot of US-based organizations immediately dropped the company’s solutions for good. Whether those accusations were true or not, nowadays it is considered to be bad business practice to use Kaspersky antiviruses, since it can cast doubt on your organization.

When Do You Need to Run a Risk Assessment?

You should perform vendor risk assessment during several different stages of your relationships:

  New call-to-action
  • When looking for a new product. Obviously, the first stage when you perform a risk assessment is when you look for a new product or a solution that will fit your needs.
  • Yearly reviews. Regular yearly reviews of each vendor from whom you buy strategic products or applications are a necessity for two specific reasons. First, each year there are new products released that might be more advanced than your existing ones. Second, sometimes vendors change their financial or security policies in such a way that they will become unsuitable for your organization.
  • When terminating the existing contract. In this case, you should perform a post-mortem risk assessment to understand what exactly made you finish the contract, and seek a more suitable vendor based on these assumptions.

Vendor Risk Assessment Checklist

So, here's the exact procedure that you should perform in order to have a solid understanding of the vendors you are about to interact with and the risks tied to them:

  • List all the vendors. In this first step, you should gather a list of all the vendors and their specifics, like the products they provide, the areas they operate in, and other basic information. It would be great not only to gather formal information from their websites or news but also to get in touch with their clients.
  • Assess the risks. According to the list we provided earlier in the article, create a unique list of risks for each vendor. It would be particularly useful to provide detailed evidence here.
  • Classify the risks. Once you have understood which risks the vendors are prone to, it's time to classify those risks by probability, impact, and other factors unique to your company.
  • Pick the vendor. Now that you have gathered all the information, it's time to decide which vendor you are about to shake hands with.

Conclusion

Now you know how to create a thorough and thought-through workflow around choosing the right vendor. However, don't overdo it.

You see, such thorough frameworks work great for enterprise-grade organizations that need to meet the needs of their internal security policies. For sure, if an organization has five thousand employees, they will need a lot of complex frameworks just to continue normal operations. But for smaller companies, such policies can be excessive.

So, while keeping the complex method in mind, try to stick to common sense. Don't overplan and overprocess, but instead embed the main idea of vendor risk assessment and vendor risk management into your workflow – which is finding the best vendor to suit your needs.

FREE WHITEPAPER
3 Reasons To Pick a Storage-Agnostic Backup and DR Vendor
Take full control of where your data is stored, as well as storage pricing and features
New call-to-action