← Case Studies

Dar es Salaam Retail Chain — 12 locations (identity withheld)

Dar es Salaam Retail Chain Establishes Vendor Risk Programme After Supplier Breach

Duration: 10 weeks
Third-Party Risk Management Lite Vulnerability Management Program Setup

Challenge

40+ active vendor relationships with no oversight. One supplier breach exposed customer payment data.

Outcome

Full vendor inventory completed, 40 vendors tiered by criticality, top 8 assessed and remediated. Vulnerability management programme established with monthly scanning.

The Situation

A retail chain with 12 locations across Dar es Salaam came to us following notification from one of their IT suppliers that a breach of the supplier’s systems may have included data related to the retail chain’s customer payment records.

The chain had grown through a period of rapid expansion. Each new location had been set up by the local management team with minimal central oversight — procurement decisions made independently, IT tools chosen for convenience, suppliers engaged without formal vetting. By the time the breach notification arrived, no one at the head office could produce a complete list of who had access to what.

The breach notification itself was from a relatively low-risk supplier — a point-of-sale software maintenance provider. The organisation had no formal assessment of whether that supplier held customer data, what security practices they maintained, or what their breach notification obligations were. The notification arrived three weeks after the supplier had discovered the incident.

The immediate question from leadership: how many other suppliers are we in the same position with?

What We Found

The vendor inventory exercise was the first and most important step. Working with the operations, IT, and finance teams across a two-week discovery period, we mapped every vendor with any access to the organisation’s systems, data, or premises.

The final inventory contained 43 vendors. The head office had been aware of approximately 20. The remaining 23 had been engaged by individual store managers, the IT contractor, or department heads without central registration.

Of the 43 vendors:

  • 11 had access to point-of-sale or payment-adjacent systems
  • 7 held or processed customer data (contact details, purchase history, loyalty programme information)
  • 4 had remote access to internal networks for support purposes
  • 14 provided SaaS tools with employee log-in credentials
  • 7 were physical or logistics suppliers with no system access

The criticality tiering placed 8 vendors in the critical or high tier — suppliers whose breach or failure would have direct impact on customer data or business operations.

None of the 8 had ever been formally assessed.

What We Delivered

Vendor Inventory and Tiering

We produced a complete vendor register with 43 entries, each tiered by criticality. The register included: vendor name, category, data held, system access level, criticality tier, assessment status, contract review flag, and primary contact.

The tiering matrix showed the scoring rationale for each vendor — particularly important for communicating to senior management why certain vendors were prioritised for immediate assessment.

Vendor Assessment — Top 8

We ran structured assessments against the 8 critical and high-tier vendors using a right-sized questionnaire covering: data handling practices, access controls, incident notification procedures, certifications, and business continuity capabilities.

Findings from the 8 assessments:

  • 3 vendors had no documented incident notification process — they had no procedure for telling the retail chain if a breach occurred
  • 2 vendors were still using shared credentials for remote access to the retail chain’s internal network — no individual attribution, no access review process
  • 1 vendor’s SaaS platform had no MFA option on business accounts (subsequently remediated by the vendor within 30 days of being formally requested)
  • 2 vendors held customer data in a jurisdiction not disclosed in their original proposal

Each assessment produced a findings summary and a remediation checklist sent to the vendor. Four vendors engaged with the remediation requests promptly. Three required follow-up before responding. One critical vendor — a payment reporting platform — was unable to demonstrate adequate controls and was flagged for replacement within 90 days.

Vulnerability Management Programme Setup

Separately from the vendor risk work, we deployed a vulnerability management programme across the chain’s central IT infrastructure. A baseline scan using open-source tooling surfaced 67 findings across critical and high severity — many relating to unpatched systems and software running versions several major releases behind current.

We produced a prioritised remediation plan, a patching policy with defined windows for critical, high, and medium findings, and a monthly scan and reporting cadence. The IT contractor was trained on the programme operations and the monthly reporting template.

Within 60 days, the critical and high findings had been reduced from 67 to 9, with the remaining 9 having documented remediation timelines.

The Outcome

The organisation now has a complete picture of its vendor landscape — the first time in the organisation’s history that a central, accurate vendor inventory existed. The 8 critical and high vendors have been formally assessed. Contracts for the top-risk vendors have been reviewed for incident notification clauses, with three requiring renegotiation.

The vendor that prompted the engagement — the point-of-sale software maintenance provider — was tiered as high-risk and assessed. Their controls were found to be adequate for the tier, but the three-week notification delay resulted in a specific contractual obligation for 24-hour notification of future incidents being added to their agreement.

The vulnerability management programme continues on a monthly cadence, managed by the organisation’s IT contractor using the programme we established. The monthly scan results are presented to the operations director in the format of the executive report template we designed.

The Underlying Problem

This engagement illustrated a pattern that is common across growing SMEs: security gaps that accumulate during rapid expansion. When the priority is opening new locations, signing new contracts, and onboarding new tools, governance processes are the last thing on anyone’s mind.

The cost of catching up is real — ten weeks of structured work, multiple vendor conversations, contract renegotiations, and remediation effort. But the cost of not catching up until a significant breach occurs is much higher.

The vendor risk programme is now a standing function within the business. Vendor inventory is updated quarterly. Critical and high vendors are reviewed annually. New vendors above a defined spending threshold require a criticality tier assignment before being onboarded.

The system took ten weeks to build. It takes about four hours per quarter to maintain.

Facing a similar challenge?

Book a free 30-minute discovery call. We'll give you an honest assessment of your situation and what a structured engagement would look like.

Book a free call View all case studies