Should you worry about concentrated risk?

Awareness of risk concentration in third party vendors reached new levels of visibility after we found out last week that, surprise - Many computers going down simultaneously isn’t good for the economy.

When it comes to software startups, they’re swimming in a sea of third party vendor risk due to the potential for outages and breaches in vendor owned systems. What can companies do to prepare for the worst?

In truth, not much.

Beyond choosing relatively solid vendors, the risk vs. the effort to comprehensively identify and plan for most 3rd party vendor risks simply isn’t worth it.

If Google Workspace goes down, the company loses access to email and all your productivity software, a massive single point of failure tied to a vendor.

But…

Google Workspace itself has more layers of redundancy than the management at a Fortune 500 and what are the alternatives? Paying for Office 365 as well, just in case?

The reality is, there’s many other more likely and more impactful risks you should be addressing before spending too much time building mitigations for a Zoom outage into your plans.

Does it really make sense to worry too much about this if you’re a smaller company?

If it’s a critical part of your platform and there’s a reasonable alternative you can flip to, then by all means having a secondary should be part of your resilience planning. For areas like your EDR, productivity suite, CRM, etc. you’re much better off picking a reliable vendor and just moving forward.