Can you differentiate between your actual and perceived security? These metrics can give you a hand.
“We don’t ask our vendors about their cybersecurity efforts.”
This is not a statement you hear very often from many modern organizations. And if you do, it’s safe to say that they’re being highly negligent! In today’s threat landscape, vendor risk management is absolutely critical and should be carefully considered in a business relationship.
But there are quite a few more specific scenarios that you may have seen in your organization—or your vendor’s organization—that could be cause for concern. We’ve outlined six of those scenarios below.
1. “We don’t let our vendors know how important cybersecurity is to us.”
From the beginning of a relationship, your vendor’s need to understand that you are concerned about their cybersecurity and take the matter very seriously. Consider how you’d discuss the scope of the business relationship, the financial terms, and the time frame—you’d never be vague about these details! And you should treat cybersecurity with the same importance.
2. “We’ve hired a contractor to handle our sensitive data, but we haven’t asked them which specific employees have access to it.”
In addition, you should also know where your information will be physically located or how access to it will be managed. What happens if someone breaks into your vendor’s office and can easily access your hard-copy trade secrets or hack your vendor’s server? You should consider every possibility while crafting your vendor contract. (See our next scenario.)
3. “We don’t build out contractual requirements for our vendors to meet with respect to cybersecurity.”
If you aren’t contractually specific in your legal agreement with your third party, you’re acting heedlessly. It’s as simple as that. You absolutely must be clear with your third parties about your security expectations for them—without leaving anything up to the imagination. Be extremely specific and spell out everything you require clearly; this is your only time to dictate and negotiate the terms.
4. “We don’t ask to review documentation and results of previous audits.”
Trusting implicitly what your third party tells you about their cybersecurity is simply not enough. In this day and age, the mantra is “trust, but verify.” Even if you feel very comfortable with a vendor, having documentation and proof to back up their claims is critical. This should allow you to glean what the company has been doing for several years prior with their cybersecurity program, which should help you determine whether a business relationship is worth pursuing.
5. “WE HIRED a third party without knowing how they manage their own third-party relationships."
Supply chain risk management is a critical component in the vendor risk management process. You need to be able to understand what your vendor does today to secure their organization and how they ensure that their vendors are properly handling their data. You should also ask them how they come about this data. Do they audit their vendors regularly? How is their supply chain managed?
6. “We trust a snapshot in time instead of relying on continuous monitoring.”
Relying solely on annual assessments rather than continuously monitoring your critical vendors creates more vendor risk. It’s common knowledge that an organization’s security posture can change every hour of every day. Thus, it’d be foolish to trust an annual assessment to speak to your vendor’s security. Organizations can improve their supply chain security by continuously monitoring their vendors to detect changes in their network and remediating any issues immediately.
Something To Consider
There’s a misconception that smaller companies perform poorly when it comes to cybersecurity because they can’t employ as many resources as large organizations. This seems to make sense—but interestingly, this isn’t always true. Smaller companies are, at times, able to effectively leverage security tools provided by cloud solution providers. So while a smaller company may not be able to provide the same kind of overall security protection a larger company can, they can maximize their efforts when using the right security tools. Keep this in mind as you manage your vendors and your clients or customers alike!