In this video, Carol White of MIS Solutions interviews Lliam Holmes, CEO of MIS Solutions, to unpack the concept of connected risk and its implications for small and mid-sized businesses (SMBs).
Lliam explains that businesses today operate in a web of interconnected vendors, applications, and service providers. While many organizations focus on securing their own systems, true risk management must also account for the vulnerabilities of third-party (and even fourth-party) partners. If a vendor suffers a breach, outage, or compliance failure, that risk quickly transfers to their clients.
Customers expect their data to be protected regardless of whether it’s managed directly by a business or by its vendors. While SMBs may invest heavily in internal cybersecurity (antivirus, penetration tests, backup strategies), they must also evaluate how their vendors handle sensitive data. Lliam stresses the importance of due diligence when onboarding new partners and regularly reassessing existing ones.
Certifications and Frameworks: Look for SOC 2 Type II compliance, Business Associate Agreements (BAAs) for HIPAA, and other industry frameworks (CMMC, PCI, etc.) as evidence of vendor accountability.
Due Diligence: If formal certifications are lacking, businesses must ask probing questions about policies, disaster recovery, and data protection.
Ongoing Monitoring: Vendor assessments shouldn’t be “one and done.” Annual audits and regular reviews help ensure vendors remain aligned with business and compliance needs as both evolve.
Understanding Fourth-Party Risk: Vendors often rely on their own providers (e.g., software companies using AWS or third-party backup services). This creates cascading risk exposure that businesses must map and track.
Software Bill of Materials (SBOM): With modern software relying on multiple third-party components, new regulations are pushing for transparency into the “ingredients” of applications so businesses know where hidden risks may lie.
Lliam points to well-known incidents like the Target data breach, where the compromise originated from a vendor, and to outages in platforms like Azure or payment systems, which can disrupt many downstream businesses.
Start by identifying all current vendors and what data they access.
Engage vendors in conversations about security measures and data handling.
Clarify contracts to define expectations in case of a breach.
Know not only who you do business with, but also who they do business with.
Carol emphasizes that security doesn’t stop at your own network. Every vendor and partner extends your organization’s risk surface. By asking the right questions and embedding vendor risk management into strategy, SMBs can strengthen resilience and reduce surprises.
Share:
