Single post abstraction
third party vendors
Single post abstraction

Third-Party Vendors

Working with third-party vendors should be a first priority. We understand that doing business today takes a village. No matter the size of your organization, you can’t do it alone—nor should you. Having business relationships with third-party vendors adds great value for your organization. These important relationships also come with cybersecurity risks and reputational risks as well. Any time you share data with an external party, you lose some control over what happens to it. Depending on the vendor relationship, this can involve sensitive data, like employee personal details, confidential business information, and company financials. It’s certainly not the information you want to fall into the hands of a cyberattacker.

With this in mind, how can you mitigate some of the risk that comes with vendor relationships? This article covers the basics of assessing, reducing, and managing third-party cybersecurity risk at your organization.

Managing Cybersecurity Risk

  • Businesses often share large amounts of sensitive data with vendors as a necessity of working together. When they fall victim to a cyberattack, any data you share with them could be breached, misused, or stolen.
  • If your business is subject to compliance regulations like PCI, HIPAA, and GPDR, you may even be held legally and financially accountable for breaches caused by a third-party supplier.
  • In the case that a third-party vendor experiences a security incident, they may pause operations—either because they cannot access their data, or to give them time to assess and respond to the attack. This is a major concern for businesses who rely on third-party providers to keep their company running, as downtime can result in lost business, delays, and rippling impact throughout the supply chain.

Third-Party Relationships are on the Rise

As a small business, the most important step you can take is to formalize a process for managing third-party risk at your organization. This means implementing an intentional plan to identify, assess, document, and protect against the potential threats that your vendors face.

Here’s how to get started.

1. Create a Standardized Approach when Assessing Third-Party Vendors

Managing vendor risk management begins with a standardized, comprehensive approach. Work with key stakeholders at your organization to set expectations, define ownership, and apply a consistent, documented process, both for existing third parties and during the selection process for a new vendor. The time invested up-front makes subsequent work easier when new partners come on board.

Key steps to include in your approach include:

  • Identify Third Parties: Inventory and document all vendors and service providers with whom your organization works, and keep the list regularly updated as you hire new vendors. Be sure to consider all external companies with whom you do business—if they provide a good or service, they should be on your list. Common categories of third-party vendors include:
    • Contractors and consultants
    • Agencies and business services
    • Manufacturers and suppliers
    • Technology and software providers
  • Catalog Security Risks: For each vendor, list the potential risks you will face working with them, including financial, information security, reputational, and compliance risk, and determine your organization’s risk threshold.
  • Establish an Internal Team: Decide who in your organization is responsible for managing each vendor relationship, communicate the expectations for managing security risk and best practices, and establish an oversight team.
  • Document, Communicate, and Enforce Requirements: Vendors can’t meet your security requirements if they don’t know what they are. Determine your standards, track them, and communicate them to third-party vendors proactively.

2. Assess Third-Party Vendors’ Security Controls

Once you have a standardized approach in place, focus on assessing third-party relationships thoroughly—both existing relationships and in the vetting process for a new vendor. Your review should cover the following:

  • Vendor History and Reputation: Do your research and due diligence on the vendor. Check review sites, customer testimonials, business listings, and any news stories. Consider how long the third-party company has been doing business, their history, and any previous cybersecurity, legal, or financial issues. Create a checklist, flag any issues, and discuss internally and with the vendor to determine the potential risk.
  • Information Accessed: You may not even realize how much data you share with third parties—which is why it’s so important to make a detailed list. What data does the third-party vendor use when working with you? What access do they have? If they access sensitive data such as customer and client information or company financial records, apply additional scrutiny during the selection and review process.
  • Cybersecurity Policies and Practices: Ask the vendor about their cybersecurity controls in place, including People, Processes, and Technology. Do they train their team on security and conduct regular employee background checks? Do they have strong cybersecurity policies and protections that align with key cybersecurity frameworks and standards? How do they audit and test their cybersecurity technology and compliance requirements?

A good way to look at the assessment process is to treat vendors as if they are your company. Holding them to the same standards that you apply internally helps ensure that your data is protected the way you would protect it.

3. Use Proper Access Management Standards

Use the same processes, procedures, and technology that you use internally to monitor and limit access. Just as you wouldn’t provide someone on your sales team with administrator access to the network, don’t provide access—especially to sensitive data—that a third-party vendor doesn’t need to perform their job. A vendor can always request more access if they truly need it, but a conservative approach to sharing and data helps contain the potential damage.

Don’t forget to consider access removal: When you stop doing business with a vendor, follow your standard offboarding procedures to be sure all access is revoked.

4. Continuously Monitor Third-Party Cybersecurity Procedures

After the initial vetting process for a vendor, employing continuous monitoring and management is crucial in managing risk.

The internal owner of each vendor relationship should conduct regular check-ins to discuss their evolving cybersecurity procedures and requirements. It’s also recommended to assess the vendor by conducting a full security review and audit every six months to a year, following the same assessment standards you set in Step 2.

If security concerns arise at any point, work with the vendor to develop a plan for improvement with mutual accountability. Remember, investing this time and resources helps ensure your partnerships continue to uphold your high standards for security and business practices.

Don’t Forget: You’re a Third-Party Vendor, Too

If your organization works with or provides services to other businesses, your customers likely consider you to be a third-party vendor and may come to you with cybersecurity requirements of their own.