If your organization outsources to vendors, you are probably involved in a lot of due diligence. You may be looking at and verifying credit checks, getting background reports, monitoring legal standings and litigation, ensuring that third parties pay their bills and don’t employ criminals, and more.
But are you paying attention to the cybersecurityposture of your vendor? This is a new risk factor companies are beginning to worry about—and rightfully so.
In today’s business landscape, data is being shared with many vendors and housed in their networks, so it is incredibly important to take every precaution necessary to protect your data. Even if you have a strong standing relationship with your vendor, how do you really know that they’re protecting their own information appropriately, let alone handling yours with care? The steps laid out below will help you ensure that you’re mitigating vendor risk, from pre- to post-contract.
Ask yourself this question: “Are all of my vendors protecting our data appropriately, in accordance with the relationship we’ve established?” If you’re hesitant on answering “yes” for even a moment, you could have a vendor risk problem.
During your pre-contract phase, you’ll want to be sure a particular vendor is on the “up and up” before you sign a deal with them. This is typically done by determining:
The extent of their access to your network and data.
The sensitivity of the data they have access to.
If they have access to a large deal of data, or even a small amount of highly sensitive data, follow these steps:
Build the expectationsof how you expect the vendor to secure your data into your contract. In other words, write up your vendor contracts so they are legally airtight. You’ll want to make sure there’s a clause for incident notification if something goes wrong. (We’ll return to this concept in step seven.)
Ask your vendor to provide documentation of what they’re doing with respect to IT and data security.
Perform an interview or an on-site visit. This isn’t always necessary—and can be extremely costly—but in some cases, it’ll give you assurance that what your vendor is saying on paper is what they’re actually doing in practice.
Let’s assume you performed the three steps above and your vendor passed muster, so you signed a contract with them. Congratulations! But vendor risk management doesn’t stop after the contract is signed. During the post-contract diligence phase, you’ll want to continuously monitor your vendor’s security position by following these steps:
Have a semi-regular meeting with your contact at the vendor. This gives you a chance to discuss anything pertinent, ensure everything is still going well, potentially talk about security incidents, and more. Basically, you’ll want to use this check-in call or face-to-face meeting to find out what’s going on.
Schedule a semi-annual on-site assessment. Again, performing this step depends on the vendor and the criticality of data they have access to. Going on-site may help ease any fears that nothing has changed dramatically—i.e., they haven’t sold the data center where your critical data is being housed to a company overseas, or the like.
Prepare internally for the steps your organization will take if there is a security incident that affects your network or data.
Make relationships with law enforcement, forensic teams, or anyone else who could respond appropriately during a crisis.
Prepare your organization’s executive team for this type of incident. Be sure the right people are ready to reach out to customers or shareholders, if need be.
If there is a security breach through a third party, create an incident response plan (which is actually our next step).
Create an incident response plan. This plan will help you take the steps necessary if there is a security incident that affects your data or network. You’ll also want to be sure your vendor has an incident response plan in place. This proves both responsibility and sophistication on the vendor’s part, and will help your vendor deal correctly with a security incident.
If you still don’t think these critical vendor risk management steps are important, you’re simply not taking necessary precautions to protect your company. Some may even say that not protecting yourself through these steps is negligent. Vendor risk management isn’t a ploy or a sales tactic—it’s an incredibly important part of the business landscape today, and virtually every large company in the world is doing it.
Once you follow the eight steps outlined above, you’re going to have greater protection if your vendor’s security is ever compromised. Take our word for it—following these critical (and simple) steps to reduce your vendor risk is a no-brainer.
Download Guide: 5 Ways Vendor Risk Management Programs Leave You In The Dark (& What You Can Do About It)
We've drilled down into areas that vendor risk management programs leave a little vague.
Download the guide to see if you've considered these critical areas of vendor risk management.
What’s the biggest struggle your vendor risk managers face when establishing cyber security monitoring processes? From sudden increases in the use of third-parties by your organization, to not knowing which vendors might be impacted by the...
If you’re using a “one-size fits all” approach to managing your vendor lifecycle, you are missing opportunities to save money and operate more efficiently. Vendor management efficiencies don’t end in the onboarding stage: using a...
If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...