← All posts

Vendor Risk Management: Why Your Suppliers Are Your Biggest Security Liability

Your security is only as strong as your weakest supplier. Here's how to assess, manage, and monitor the third-party risk that most Irish SMEs are carrying without realising it.

Some of the largest data breaches in recent years didn't start with the targeted organisation. They started with a supplier — an IT provider, a software vendor, a cleaning contractor with access to the building, a payroll processor with a connection to HR systems.

Third-party risk is now one of the top sources of security incidents globally. And for Irish SMEs, it's often entirely unmanaged.

Why Vendor Risk Matters More Than Ever

Three regulatory drivers have made vendor risk management non-negotiable:

GDPR: If a processor you've engaged suffers a breach affecting your customers' data, you're still accountable. You must have a written Data Processing Agreement (DPA) in place, and you must have carried out due diligence on the processor's security practices.

NIS2: Article 21 specifically requires supply chain security as one of the 10 minimum measures. If you're an essential or important entity, you must assess the security posture of your ICT suppliers.

DORA: Requires financial entities to maintain a complete register of ICT third-party providers, conduct pre-contractual due diligence, include specific security provisions in contracts, and monitor critical providers on an ongoing basis.

Beyond regulation, operational risk is real. If your cloud provider goes down, your payroll system is breached, or your managed IT provider is hit by ransomware, your business is affected regardless of whose fault it was.

Step 1: Build Your Vendor Register

Start by listing every third party that: - Accesses your systems or data - Processes personal data on your behalf - Provides a service you'd notice if it disappeared tomorrow

Include: cloud providers, SaaS applications, managed IT/MSP, payroll, HR systems, accountants, legal firms, cleaning/facilities (if they have building access), logistics partners, marketing platforms.

For each vendor, record: - What data or systems they can access - The nature of the relationship (processor, controller, joint controller) - Whether a contract/DPA is in place - Your criticality rating (what happens if they fail or are breached?)

Step 2: Tier Your Vendors by Risk

Not all vendors warrant the same level of scrutiny. A simple three-tier model:

Critical (Tier 1): Access to sensitive personal data, core business systems, or your security infrastructure. Requires full due diligence and annual review.

Important (Tier 2): Access to business data but limited personal data exposure. Requires questionnaire-based assessment and biennial review.

Standard (Tier 3): Minimal data access, easily replaceable. Requires basic contractual controls and periodic review.

Step 3: Conduct Due Diligence

For Tier 1 vendors, due diligence should include:

  • Security questionnaire: Covering access controls, encryption, incident response, subprocessor management, certifications
  • Evidence review: Certificates (ISO 27001, SOC 2), recent penetration test summaries, security policies
  • Contractual review: DPA, SLAs, breach notification obligations, audit rights, exit clauses
  • Business continuity review: What happens if the vendor has an outage or goes out of business?

For Tier 2, a shorter questionnaire with certification evidence is usually sufficient. For Tier 3, a contract review alone may be adequate.

Step 4: Get Your Contracts Right

Two documents matter most:

Data Processing Agreement (DPA): Mandatory under GDPR Article 28 for any processor. Must specify the nature and purpose of processing, data types, your instructions to the processor, and the processor's obligations.

Service Agreement / MSA: Should include security requirements, incident notification timelines (GDPR requires processors to notify you "without undue delay" — practically within 24 hours — so you can meet your 72-hour regulatory deadline), audit rights, and exit/transition obligations.

If you're signing vendor contracts without these provisions, you're carrying both regulatory and financial risk.

Step 5: Monitor on an Ongoing Basis

Due diligence at onboarding isn't enough. Vendors change — ownership changes, certifications lapse, security incidents occur.

Ongoing monitoring includes: - Annual (or biennial) reassessment questionnaires for Tier 1 and Tier 2 vendors - Monitoring for vendor security incidents in the news - Tracking certification expiry dates - Re-assessing when a vendor significantly changes their service or ownership

Building Vendor Risk Into Your Programme

Shield IQ's vendor module supports both Lite and Standard questionnaires, automatically generates risks from poor questionnaire scores, and links vendor risk directly to your risk register and controls. Certification expiry dates feed into the compliance calendar so reviews don't slip.

Manage your vendor risk in Shield IQ — free at app.shieldiqcyber.com

No credit card. No setup call. Start building your vendor register today.