Vendor Risk: 1 Issue That's Too Critical To Overlook

Vendor Risk Management

Written by Melissa Stevens July 07, 2015

If your organization outsources to vendors, you are probably involved in a lot of due diligence. You may be looking at and verifying credit checks, getting background reports, monitoring legal standings and litigation, ensuring that third parties pay their bills and don’t employ criminals, and more.

But are you paying attention to the cyber security posture of your vendor? This is a new risk factor companies are beginning to worry about—and rightfully so.

In today’s business landscape, data is being shared with many vendors and housed in their networks, so it is incredibly important to take every precaution necessary to protect your data. Even if you have a strong standing relationship with your vendor, how do you really know that they’re protecting their own information appropriately, let alone handling yours with care? The steps laid out below will help you ensure that you’re mitigating vendor risk, from pre- to post-contract.

Pre-Contract Diligence

Ask yourself this question: “Are all of my vendors protecting our data appropriately, in accordance with the relationship we’ve established?” If you’re hesitant on answering “yes” for even a moment, you could have a vendor risk problem.

Take the first step toward a better VRM program today by downloading this free guide.

During your pre-contract phase, you’ll want to be sure a particular vendor is on the “up and up” before you sign a deal with them. This is typically done by determining:

  • The extent of their access to your network and data.
  • The sensitivity of the data they have access to.

If they have access to a large deal of data, or even a small amount of highly sensitive data, follow these steps:

  1. Build the expectations of how you expect the vendor to secure your data into your contract. In other words, write up your vendor contracts so they are legally airtight. You’ll want to make sure there’s a clause for incident notification if something goes wrong. (We’ll return to this concept in step seven.)
  2. Ask your vendor to provide documentation of what they’re doing with respect to IT and data security.
  3. Perform an interview or an on-site visit. This isn’t always necessary—and can be extremely costly—but in some cases, it’ll give you assurance that what your vendor is saying on paper is what they’re actually doing in practice.

Post-Contract Diligence

5 Ways your Vendor Risk Management Program Leaves You In The Dark

And what you can do about it

5 Ways Your VRM Program Leaves You In the Dark

5 Ways your Vendor Risk Management Program Leaves You In The Dark

And what you can do about it

Relationships with vendors are important (or even vital) for many organizations, but unfortunately, there’s a trade-off—the more data you share, the more risk you acquire.

Download Whitepaper
Button Arrow
Let’s assume you performed the three steps above and your vendor passed muster, so you signed a contract with them. Congratulations! But vendor risk management doesn’t stop after the contract is signed. During the post-contract diligence phase, you’ll want to continuously monitor your vendor’s security position by following these steps:
  1. Have a semi-regular meeting with your contact at the vendor. This gives you a chance to discuss anything pertinent, ensure everything is still going well, potentially talk about security incidents, and more. Basically, you’ll want to use this check-in call or face-to-face meeting to find out what’s going on.
  2. Schedule a semi-annual on-site assessment. Again, performing this step depends on the vendor and the criticality of data they have access to. Going on-site may help ease any fears that nothing has changed dramatically—i.e., they haven’t sold the data center where your critical data is being housed to a company overseas, or the like.
  3. Prepare internally for the steps your organization will take if there is a security incident that affects your network or data.
  • Make relationships with law enforcement, forensic teams, or anyone else who could respond appropriately during a crisis.
  • Prepare your organization’s executive team for this type of incident. Be sure the right people are ready to reach out to customers or shareholders, if need be.
  • If there is a security breach through a third party, create an incident response plan (which is actually our next step).
  1. Create an incident response plan. This plan will help you take the steps necessary if there is a security incident that affects your data or network. You’ll also want to be sure your vendor has an incident response plan in place. This proves both responsibility and sophistication on the vendor’s part, and will help your vendor deal correctly with a security incident.
  2. Have a continuous monitoring solution for long-term vendor risk management. This will allow you to constantly monitor each vendor for any security flaws or potential risks, which will give you and your company the peace of mind you’re looking for.

Is Your Cyber Security Posture Optimized?

If you still don’t think these critical vendor risk management steps are important, you’re simply not taking necessary precautions to protect your company. Some may even say that not protecting yourself through these steps is negligent. Vendor risk management isn’t a ploy or a sales tactic—it’s an incredibly important part of the business landscape today, and virtually every large company in the world is doing it.

Once you follow the eight steps outlined above, you’re going to have greater protection if your vendor’s security is ever compromised. Take our word for it—following these critical (and simple) steps to reduce your vendor risk is a no-brainer.

Download Guide: 5 Ways Vendor Risk Management Programs Leave You In The Dark (& What You Can Do About It)