The Do's & Don'ts Of Sharing Sensitive Information With Vendors

No matter what industry you’re in, there is policy, as well as hundreds and thousands of laws that go into creating vendor risk management (VRM) programs. As such, there are plenty of resources dedicated to that very topic. You could spend weeks or months reading before you feel like you have a good grasp on the topic… or, you could read this article!

Simply put, we are experts in the VRM space! We know which best practices to make sure you’re doing—which you’ll find on our “do” list—and which practices to never take part in—which you’ll find on our “don’t” list. Let’s dive right in.

“Do” List

  • Do understand the value of your data to your organization prior to allowing any third party to access it. Being able to differentiate data that is highly sensitive from data that is only moderately sensitive is an important step—and you’ll need to be able to draw those conclusions before a vendor has access.
  • Do create security expectations for your vendors describing how they should secure your data. These expectations shouldn’t be casually mentioned at the beginning of a business relationship, but rather cemented into your vendor contract. Make these expectations legally airtight, so your mind—and the minds of those in upper management—can rest at ease.
  • Do establish an incident response plan. Having a procedure for your third party to notify you in an event of an incident affecting their organization and/or your data is most certainly a best practice. This is a written procedure that is usually referenced in the contract and developed by the third-party organization. It outlines who the third party is to contact if a security breach does occur. The first party is responsible for ensuring that the vendor has the right procedures in place, accurate contact information, and a clearly established timeline of when that communication will happen.
Document placeholder

Relationships with vendors are important (or even vital) for many organizations, but unfortunately, there’s a trade-off—the more data you share, the more risk you acquire.

Download Whitepaper
Button Arrow
  • Do only share the minimum information with your vendor required for them to meet your objectives. If, for example, your vendor will be monitoring your HVAC system remotely, you’ll want to ensure that they only have minimal access. They only need access into the part of your network that controls HVACs, and virtually nothing more. Such access management could have saved Target from its massive, highly publicized breach that affected the personal information of over 110 million customers.
  • Do continuous monitoring of your third-party vendors and contractors with respect to cybersecurity. Even if you put your vendors through all kinds of audits—which you should—you still don’t know what is going on in their network on a day-to-day basis. Continuous monitoring software helps you keep an eye on all your vendors, so you can make better, data-driven decisions.

“Don’t” List

  • Don’t create a generic expectation for security. You’ve probably heard of companies requiring their vendors to provide an “adequate” level of security. This is not a good practice, because “adequate” can be interpreted many different ways. You have to be clear about expectations in regard to security if you want to decrease your chances of third-party security issues. Ideally, you should cite an industry standard like ISO27001, NIST800-53, or the PCI data security standards.
  • Don’t allow third parties to access your data without doing proper assessments. Understanding the cybersecurity posture of your vendors can be a painstaking process. It should involve a combination of questionnaires, on-site assessments, technical assessments, and near-constant communication. If you take care of your pre- and post-contract due diligence, you’ll feel far more prepared for them to gain access to your data.
  • Don’t let everyone in the third-party organization—or your organization—have access to your data. This is a pretty simple, but important concept. Your organization should clearly establish which individuals at a vendor company have access to your data. Consider putting controls in place to help guard entry to your data, so it isn’t easily accessible. Privileged information should only be available for a select few individuals who need access for a very good
  • Don’t allow third-party users to access your data using unapproved devices. Anyone accessing sensitive information should be using their work-approved computers on approved networks. If someone decides to access your information on a personal laptop at a coffee shop, your organization can’t adequately monitor usage—and the likelihood of someone gaining access to your “crown jewels” is far more likely.
  • Don’t provide vendors with more information about proprietary products or information than they need. In other words, make sure you’re properly addressing the risk involved with your supply chain. Let’s say your organization is designing a really sensitive smart phone, and you decide to work with a vendor who can supply you with specialized screens. That particular vendor does not need access to all of your sensitive phone design information and data—they just need the specifications that will help them successfully create the phone screen. We cannot overstate how important it is to protect your most sensitive data and information.

One Final Point

Do make sure you use this list as a starting point… but don’t only rely on this information to ensure that your data is entirely secure! Our hope is that these suggestions provide you with a great place to start or affirm you’re headed in the right direction in regard to IT risk management—but they can’t replace thorough vendor due diligence. Make sure you do your homework!

Download Guide: 5 Ways Vendor Risk Management Programs Leave You In The Dark (& What You Can Do About It)