Got Vendors?

How well you vet them could be the key to protecting your customer data

By Laura Haight

Vendors. We’ve all got them. And we’re pretty careful who we do business with. Right? Or are we? I’m not talking about price or value or previous customer satisfaction, but by their internal security practices.

Every year, the risk of your company, customer, and client data being exposed in a data break through a third-party vendor increases. Last year, according to the Ponemon Institute, that risk increased 7 percent. For its third annual, Data Risk in The Third Party Ecosystem report, Ponemon surveyed more than 1,000 Chief Information Security Officers in the US and United Kingdom. So, OK, right off the bat we’re talking large organizations here.

Even at that, 45 percent in of US responders said their companies had experienced a data breach through a third-party vendor; 25 percent were breached by one of their vendor’s third-party vendors; 61 percent believed they were vulnerable to such an attack.

As these are only the instances that companies know about, the actual exposure could be much larger. Only 32 percent of US respondents believe a vendor would notify them if they were breached.

There are many examples of this occurring, including to companies doing business in the Upstate like Bon Secours, which lost 665,000 patient records in a third-party breach including 200,000 SC patients, and Target.

No matter how smart a business may be about security internally, third-party relationships often go unaddressed. And that lackadaisical approach can have serious and costly consequences.

Have you given an outside vendor an account on your internal network? You might do this if a company or individual is working on a project with you and requires access to some specific resources. It’s not an uncommon thing to do. But are you taking the very important step of determining the security of the vendor before opening this big door. No doubt, Target wishes it had done that.

How are your vendors protecting their own infrastructure? What are their security practices? Many hackers use access to one company as an entry to another.

So is this another hopeless situation? After all, if huge corporations can’t (or aren’t) protecting themselves from this risk, what could I possibly do about it?

The first step, of course, is not throwing your hands up and accepting that whatever will happen is inevitable and you are helpless to stop it.

Vendor management and threat assessment is a big elephant and you can’t eat it all at once.

So, small bites:

  1. Which of your vendors would have the greatest impact if they had a breach? Consisted three factors: sensitivity of the data you share with them, volume of data, and access into your systems. An HVAC company may have none of your sensitive information in their hands, but if you’ve given them access to your network, they are a major risk.

  2. What data is exposed by these vendors?

  3. Tackle these issues head on with those high-impact vendors by asking direct questions about how your data is secured, and their internal policies on access and vendor vetting. A vendor who will not respect and understand your needs, and work with you to provide the best protection possible does not deserve your business.

  4. Ongoing monitoring is the big bite, because it requires vigilance and oversight. Add security commitments as a requirement to contracts.

  5. Vet vendors better. Know what questions to ask to determine how seriously potential vendors are taking their own security and yours. We have a free white paper to help you through this stage.

Third-party risk management (TPRM - yes, there’s now an acronym for this) is a key to protecting your investment and ensuring your customers/clients have entrusted the right firm with their sensitive info. The bottom line: Failure in this area may mean a bigger hit to your reputation than your wallet, but that may be even more costly.