Onboarding vendors can be a tedious and time-consuming process. More importantly, a disorganized vendor onboarding process can mean that your third parties aren’t approved in a timely manner, don’t go through an appropriate process, or even worse, aren’t thoroughly vetted.
Why is the vendor onboarding process so critical?
Vetting your vendors is important. Data breaches caused by third parties increase the cost of a data breach by an average of $207,411, according to the Ponemon Institute’s latest Cost of a Data Breach report. Yet such breaches are common; Ponemon’s 2018 Data Risk in the Third-Party Ecosystem report found that 59% of respondents had reported a third-party related data breach.
Despite this only 4 in 10 organizations have a mature vendor risk management process in place, according to Protiviti’s 2019 Vendor Risk Management Benchmark Study. This may be because vendor management is notoriously difficult — organizations may be working with more vendors than they’re aware of, due diligence is time-consuming, and both companies and third parties alike hate questionnaires.
In some cases, businesses may throw up their hands and start working with a vendor because it takes too much effort to onboard them properly.
How can you optimize your vendor onboarding process so it’s less painful for you and your third parties are appropriately vetted? It starts with simplification.
Best practices for optimizing your vendor onboarding process
1. Simplify the approval process
How many layers of approval does a department need to go through before a vendor can be approved? If a new vendor must be approved by Legal, Security, Compliance, and Procurement, it can be frustrating to move the approval through all the layers, one after the other, especially if it’s not clear which path the approval needs to take, or if each layer of approval has different requirements.
Simplify the approval process by understanding which department has to sign off on an approval first, or by allowing all departments to view the approval at once.
2. Create a vendor portal
If you are relying on email for proposals, you’re probably missing messages from prospective suppliers. Create a portal for potential vendors who want to work with you. A portal ensures that no one misses any communication, and that prospective vendors can log securely into one location and see everything they need to see at a time.
3. Empower your business units to make their own vendor decisions
While it is critical to have a consistent vendor onboarding process, it’s also important to understand that employees and departments are constantly adding applications to their technology stacks without telling IT — usually in an attempt to make their jobs easier and their day more productive. They may not realize that this means they’re unwittingly adding a vendor to your organization, or that there may be security risks.
Centralizing your approvals may be frustrating when you’re dealing with a large shadow IT network — especially now that so many employees are working remotely. You may be tempted to control this by clamping down on departments, but another way to make this situation more secure is by giving each department the power to make its own decisions and conduct vetting itself, using the organization’s onboarding process.
According to The Upside of Shadow IT: Productivity Meets IT Security, more straightforward processes for employee technology requests (36%) and training IT staffers on assessing/vetting technologies faster (25%) would make deploying employee-suggested technologies more agile, compliant, and responsive. This sort of training also makes employees more responsible and aware of information security concerns.
4. Realize that not every vendor needs the same level of vetting
Your vendors will run the gamut, and a good onboarding process should strategically evaluate each third party, based on their levels of importance to your organization and the access they have to critical information. Those without access to critical information and systems may be able to get approval more quickly than other, more important vendors.
5. Change the way you handle questionnaires
Let’s be honest: no one likes questionnaires. They’re a headache for vendors, who are tired of filling them out – they’re often sent hundreds of questionnaires every year — and may simply be cutting and pasting answers into a blank questionnaire. They’re a headache for companies, many of whom are simply sending them to check a box for the sake of compliance and aren’t reading the answers. For those companies who do read the answers, verifying answers on questionnaires may be a difficult task, and even then they’re only a snapshot of a vendor’s controls on a given day.
By streamlining the questionnaire process and using continuous monitoring instead of constant questionnaires, your organization can make this part of the process easier for everyone involved.
How SecurityScorecard can help
SecurityScorecard’s Atlas is an intelligent tool that streamlines your vendor risk assessment process. Using our platform, your organization can send and upload vendor responses to questionnaires. Atlas’s machine learning compares their answers to previous questionnaires and the platform’s analytics, verifying responses almost immediately and alerting you to any issues immediately so you can take action and secure your cyber assets.
