Managing Risk a Must in Third-Party Relationships
Conducting Thorough Due Diligence on a Prospective Vendor’s Security is Essential
All businesses rely to some degree on external vendors, and as a result, all businesses face some degree of vendor risk. Though most businesses have no choice but to obtain internet services, security solutions, and a range of other business-critical technologies from third-party providers, they do have a choice in how they manage the associated security risks. The following tips can help security decision-makers more effectively address the risks posed by technology vendor relationships:
Be Hands-On With Due Diligence
Conducting thorough due diligence on a prospective vendor’s security is essential. Start with the vendor’s website where many post their security compliance standards. Gathering this information is particularly important if you require certain compliance certifications—such as GDPR if your business processes or controls EU citizens’ data, for example—but it should only serve as the beginning of your due diligence process.
Next, consider what this compliance information doesn’t tell you. What do you still need to learn about the vendor’s security posture before deciding whether you’re comfortable with it? Think about what questions you still have and, if possible, seek answers from the vendor’s appropriate security contact. Here are some questions to pose:
● When was your last penetration test? Is your remediation on schedule?
● Have you documented your last five security incidents? How did you remediate those incidents?
● Do you have the result of your last business continuity test? If yes, can you share it?
● What security controls exist for your users? Do they use multifactor authentication, etc.?
● How are you maturing your security program?
Be Ready to Implement Additional Security Controls
What happens if you’re unsatisfied with the answers? First, determine whether working with the vendor is critical to your business. If no, it’s important to recognize that sometimes you need to walk away. If yes, and if no other reputable vendors offer anything comparable, you will likely need to implement additional security controls to mitigate the risks associated with your business's use of the offering, such as:
Technical: These are typically restrictions on the access and/or technical integrations of vendor offerings. For example, if a product is web-based but unencrypted, consider blocking users on your network from accessing its website; provided the proper authentication is in place, use its API instead.
Policy: These are policies that users of the offering should follow, such as limits on the types and amounts of data that can be input securely.
Keep Track of Your Assets
There are several reasons why it’s imperative to know which of your business’s assets the vendor will be able to store and/or access. For one, this knowledge can help you identify and shape any additional security controls. Second, having this knowledge on hand is crucial should the vendor suffer a breach. Knowing exactly what assets were impacted can expedite your response and enable you to identify and mitigate any exposure efficiently and effectively.
Prepare a Response Plan
Before finalizing a vendor relationship, it’s crucial to use all the information gathered during your due diligence process to construct a response plan in preparation for any future incidents the vendor might experience. Tracking the assets to which your vendor has access is one component of an effective response plan. Others include courses of action to mitigate exposure, disclosure and notification procedures, external communications strategies, and plans to re-evaluate the vendor’s security and remediations following an incident.
The most effective way to manage vendor risk is not to work with any external vendors in the first place, which isn’t a feasible strategy. The most secure and successful vendor relationships are rooted in preparation and transparency. Thoroughly understanding all facets of a vendor’s security program, implementing additional controls as needed to appropriately safeguard your business’s assets, and being prepared to respond to future incidents can go a long way toward reducing business risks associated with any vendor relationship.