kellywhiteBy: Kelly White, Founder, RiskRecon, a Mastercard Company

I suspect that in the pre-ransomware world, most supplier inherent risk rating models were weighted primarily towards dimensions such as data types, transaction types, and related volumes. This model led organizations to focus their vendor risk management efforts on processors of sensitive data, relegating many operationally important suppliers to lower rating tiers. Ransomware has changed all that. From 2017 through 2021, according to an analysis of public reports, criminals successfully detonated ransomware in companies across 54 different industries.

For sure, some industries are targeted more than others, with the healthcare and education sectors bearing the bulk of the successful attacks. Don’t take too much comfort in that though, this analysis is based only on publicly reported events. The criminals are changing their tactics and their targets fast.

If you haven’t done so already, do it now. Update your supplier inherent risk rating model to factor in operational dependency and apply the new model to every vendor. Those suppliers that were previously rated as critical or high because of data or transaction sensitivity will still be rated as critical or high. Factoring in the threat of ransomware to supplier operations, you will be adding a whole herd of suppliers to that critical or high tier.

Click here to download the complete paper and get the full details on lessons learned from ransomware attacks.