Posted on Jun 19, 2018
As a business owner, you often work with vendors or third-party suppliers whose information technology solutions ease your business processes. For example, you might need a web application to provide employees with remote working solutions or your payroll department may need programs that aid in distributing benefits. Not only must you develop a good working relationship with your vendors, but you must also put plans in place to manage security risks posed by working with these third-party suppliers.
Identifying and managing risks with all your vendors is a key part of your business’s success. Depending on the type of relationship you have established with a vendor, you may face a number of different types of risks.
Determine the person in company responsible for managing the relationship with the vendor. Also, identify the person within the vendor organization managing the relationship with your company. In very small businesses, the owner may be responsible. In larger companies, the relationship manager may be a department head, a legal department, or a senior executive. Identifying this individual (or individuals) clears communication and manages the tasks involved in following up on any issues with the vendor.
Vendor risk also incorporates the relationship’s length. A one-off implementation project lasting three months may appear to be lower risk than an ongoing systems service contract. However, this assumption is faulty. Long term contracts and short term contracts have different risks, not necessarily different levels of risk. For example, the short term implementation project may require more access to your systems and revoking the user access may be overlooked at the end. Meanwhile, the long term contract incorporates continuous access risk.
Rating risks means understanding the types of risks that a vendor poses. Incorrect data input can lead to reputation risk. Meanwhile, data publication can lead to legal risk. Therefore, you need to specify the different types of risk that your vendors pose to understand your data security ecosystem.
Identifying the who, what, and when of vendor risk allows you to develop an appropriate plan to mitigate them and manage the relationship. Your plan must detail accepted vendor security behaviors and responses to data breaches. The document should be complete with check-lists, step-by-step instructions of any processes, and should serve as a compliance guideline for your HR department and legal teams.
Identifying risks allows you to address their mitigation more purposefully.
If you need to share private employee or customer information with your vendors, you put your organization at risk for compliance or security breach risks. In healthcare, for example, a breach can lead to thousands of dollars in fines under HIPAA.
If you are working with a third party that has direct access to your clients’ information, you run the risk of damaging your reputation. For example, PCI DSS compliance, the IT standard that focuses on cardholder data and payment processing, does not include fines, like HIPAA does. However, a PCI compliance failure means credit card companies won’t allow you to process payments. Additionally, customers will not trust you with their information and so you lose sales revenue. Finally, customers may sue you if someone steals their identity or uses the information to make fraudulent purchases.
When reviewing the financial risks a vendor brings with it, you may traditionally think in terms of credit ratings. However, information security financial risks often fall into the operational risk bucket. You integrate vendors as part of your daily business operations. A vendor’s operations, such as being slow to patch known vulnerabilities, can lead to a data breach. That breach impacts customers, like you, in the vendor’s supply chain. The financial risk to your organization may be anything from system access failure that costs you money for business interruption to customer private information being leaked that leads to money spent on fixing the issue.
A service level agreement (SLA) is the most effective way to minimize vendor information security risks. To best protect your organization, your IT department and legal department should do the following when crafting an SLA:
Additionally, you need to make sure that you protect your own IT landscape from vendors. This means that you need a vendor management process steps that outlines the following:
When determining vendor access to your systems, you want to focus on providing the least access necessary for the vendor to do their job. Using the least necessary privilege authorization and access method provides you more control over your data.
SLAs only protect your company if you review your vendors to make sure that they are meeting the requirements. Information security’s vendor management mantra is “trust but verify.” The basis of your vendor relationship is trust, but you also need to verify that your vendors are protecting information the way they promise. In some cases, vendors may lie on questionnaires, but more often, a vendor’s daily operations make mistakes. Unfortunately, those mistakes put you at risk.
Therefore, you need tools to help you establish an ongoing verification process. Third-party collaboration and communication is key to successful ongoing monitoring. You should clearly communicate with your third-parties what will be monitored and tracked as an
attempt to improve the security posture of all parties involved.
You should already be engaging in continuous monitoring for your own security through tools, solutions, and other processes. One option is to use these same tools and processes to monitor any integrated systems that your third parties own. Keep in mind that even if you are using tools that won’t alert your third-parties, if any issues arises, then you should reach out to them to begin remediation.
Some examples of ways to establish appropriate monitoring are:
SecurityScorecard constantly scans the internet to see what a hacker sees. We then provide that information back to you with our easy-to-digest ratings system that grades vendors on an A-F rating scale. This helps you better monitor your ecosystem by easing the steps it takes to see your vendors’ protection methods. For example, unless you work for a vendor, you traditionally cannot see how fast they patch a vulnerability in their systems. With SecurityScorecard, you have insights into this information that allow you to verify your vendors’ responses. Moreover, our platform helps you see what emails and passwords have been compromised so that you know if a vendor poses a risk based on leaked data. Our Scorecards allow you to target vendors’ weaknesses so that you can communicate with them.
The vendor risk management process is cumbersome but necessary. However, to protect your information as well as your customers’ information, you need to find a way to work with others safely. Understanding your risks and managing them with the appropriate contracts allows you to determine the metrics you need for continuously monitoring vendors. SecurityScorecard eases the burden of monitoring and helps you protect yourself by helping you communicate with your vendor.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 9 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.