The Importance of Maintaining an Updated and Accurate Vendor Inventory: What SolarWinds Taught Us
Over the last month, companies of all sizes have been in incident response mode due to the recent SolarWinds breach. This incident has been a front page headline driving management teams and Boards to initiate comprehensive reviews on the impact to their company but also to their third-party supply chains.
Privva offered its platform at no cost to assist companies in quickly distributing assessments so they could review the implications of this breach on their supply chain. We noticed many companies were scrambling to identify all suppliers, not just IT related suppliers, in order to identify the impact of the SolarWinds breach on their external environments.
Tips for Building a Comprehensive Vendor Inventory
Do you know the name of all your vendors including domain? This is not just the IT related vendors that are part of an annual due diligence.
Which vendors are directly contracted with your company?
Who are your indirectly contracted vendors (your vendors’ vendors)?
Is there an updated point of contact, email address, and phone number associated with these vendors? Many companies have dedicated “security” or “incident” emails that should also be stored. These contacts should be tested on a quarterly basis so when an incident is in motion you are not in discovery mode.
Do you know the name of the parent company? Has the vendor been acquired?
SolarWinds has been a lesson in the importance of having a full inventory of suppliers and updated contact information. The key to long term success is ensuring this information is up-to-date and accurate. When incidents are in the headlines you have management teams asking questions, so be one step ahead not two steps behind.