How Many Vendors is Too Many?
A Security Risk for Large Companies
Vendor Glut
Total SE, a petroleum corporation based in Paris, is a behemoth. And you don’t need to know a thing about them to tell: all you have to do is look at their massive, beautiful, almost frightening headquarters. The Tour Total is not only a skyscraper, it’s three skyscrapers smushed together plus a little extra on the side. Whatever goes on inside those buildings, you can bet, requires a lot of people and a lot of resources.
And, indeed, the company takes in 200 billion dollars every year, placing them among the top 30 biggest companies in the world. But for a real sense of what it takes to run Total SE, look to the number of companies they work with. As stated on their website, they use over 100,000 suppliers.
It’s worth taking a moment to truly grasp what that means. It means there’s a company out there that sells Total SE, say, equipment for their pipelines, and another that sells them consulting services, and another that delivers water bottles to their office break rooms, and 100,000 more companies doing everything in between.
If the scale of that number still hasn’t sunk in, consider this: if you imagine that every Total SE vendor (each of which might, in reality, employ 1, 10 or 10,000 people) were just one person, you’d still end up with a larger population than that of the famous French cities Avignon, Dunkirk and Versailles.
The point here isn’t just that Total is a big company. In fact, it’s the opposite: they’re not unique. Walmart has over 100,000 suppliers, as do a number of other major multinational corporations.
Even companies that aren’t multi-billion-dollar global enterprises tend to use more vendors per capita than you’d imagine. According to a 2016 survey from software company Bomgar, the average medium-to-large enterprise’s IT network is accessed by around 90 different vendors on a weekly basis. And that number could be a lowball: only a third of respondents (all IT “decision-makers”) were confident that they knew the actual number for their own company.
Whether 100 vendors are necessary to support a mid-size business, or 100,000 to support a multinational corporation, is a matter for each executive board to decide on its own. What is universally true, for all organizations, is this:
Having more vendors than you can reasonably, consistently keep track of is a major security risk.
A Case Study in Vendor Risk
Early last December, news broke that FireEye — one of the premier cybersecurity companies in the world — had been hacked. It was the biggest story in the industry all year, for obvious reasons. Hacking FireEye is a bit like assassinating a CIA agent, or beating Michael Jordan in a one-on-one: you just don’t often see the best get beaten at their own game.
But what was most remarkable about FireEye’s story is that it was just the peak — the tippy, tippy-top — of a gigantic iceberg.
Within a week of FireEye’s disclosure, it became clear that this wasn’t just a FireEye hack: FireEye was simply the first to disclose a hack that also affected tens of thousands of other organizations. It reached major companies like Cisco, Equifax and Nvidia, and more U.S. government organizations than you can count on two hands: the Department of Defense, Homeland Security, Treasury, Commerce, Agriculture, you name it.
No longer was this merely the biggest cybersecurity news of 2020. It was the biggest news, the most important hack pulled off in a decade.
This coordinated assault is now commonly referred to as the “SolarWinds attack,” or just “SolarWinds” for short. It’s called that because all 18,000 compromised organizations had one common connection: they shared a vendor called SolarWinds Inc.
SolarWinds is an IT management company. Their software helps other companies keep track of their networks (aiding in, for example, detecting and resolving outages). Evidently they’re very good at what they do: over 300,000 companies count SolarWinds among their suppliers, including almost every Fortune 500 company. SolarWinds is the Amazon, the McDonald’s, the Kleenex of their industry.
But what happens if Kleenex accidentally starts shipping toxic tissues? Suddenly, everyone with a nose is at risk.
Ironically, in late 2019, Russian hackers first breached SolarWinds through one of their vendors: Microsoft. Once inside SolarWinds, they targeted the company’s flagship product: Orion, planting unique malware that traveled into client networks via a seemingly ordinary software update. That’s why it only took one vendor breach to hit 18,000 organizations.
Preventing Vendor Risk
The SolarWinds attack was remarkably sophisticated — even companies with fantastic records on cybersecurity nonetheless failed to catch it before it was too late. But make no mistake: SolarWinds was not unprecedented. Supply chain attacks are an established, growing threat in cyberspace because they’re efficient for hackers, and because of one major Achilles’ heel that SolarWinds made very apparent:
Most companies don’t have the capacity to comprehensively monitor all their vendors.
After all, what mid-size company has the resources to fully monitor 90 vendors popping in and out of their network on a weekly basis? And, even at a company with as much cash and manpower as Total SE or Walmart, is it humanly possible to manage over 100,000 different vendors at once? In either scenario, the minimum requirement is perfection. Because all it takes is one SolarWinds to constitute a breach.
What, then, is the answer here?
For some companies, the solution seems to be more vendors — specifically, cybersecurity providers. Cisco data suggests that a full 13% of companies pay over 20 security providers, and 4% more than 50! (That said, these numbers are shrinking year-over-year.) While more security is usually better than less, there’s fault in this logic. For one thing, cybersecurity isn’t a matter of simple addition, and redundancy can be counterproductive. And while cybersecurity companies are more secure than most, they’re not invulnerable. If FireEye can be hacked, and Malwarebytes, and Palo Alto Networks, then no institution on the planet is totally safe.
That’s why companies should be aware of third-party risk, and diligent with each new supplier they add to their lists. In all likelihood no individual one will be a problem and yet, collectively, they add up. Any suppliers in excess of what a company can reasonably, closely manage, is a supplier too many. (Luckily, this is one of the few problems in the universe of IT where greater security actually comes with reduced cost, as paying fewer vendors both collapses attack vectors and cuts zeros off balance sheets.)
And, really, you’ve got to figure that among 100,000 suppliers there are at least a few redundancies. A few unnecessary water bottle shippers.
This article was published for EnjoyTech Web. For more information on third-party risk, visit www.enjoytechweb.com.
