Could the different vendors and partners you work with be creating security risks for your company? If you’re like many business owners, you may assume that since you’re investing in cybersecurity, your business is protected. In reality, unless you’ve taken a close look at the security policies of all your partners – from consultants who might access company information, to different products and services you purchase – you might be putting your company’s information in jeopardy. According to a study reported in Computer Weekly, 63% of data breaches are related to third parties: partners, vendors and, potentially, even customers.
When you’re vetting an external partner, you’re often looking at a number of different factors; however, you might be overlooking one of the most critical: security. This factor is true for any type of vendor, whether you’re hiring a virtual assistant or buying a SaaS product. Different partners and vendors can put your data in danger in various ways, from improperly storing payment information to poor integration-level connections within your software programs. If security isn’t part of what you look at when choosing partners and vendors, start now.
1. Include Security Policies in Your Buying Process
When it comes to signing a contract with a new partner or vendor, it can be a long and involved process. You’re probably looking at their reputation, offerings, price and competitiveness. But it’s also important to evaluate what their security practices look like. Any cost savings you might reap from choosing a less expensive provider with poor security practices can be completely eradicated if you have to cover the costs of a data breach. Some factors to ask during the evaluation process include:
- What are the vendor’s security policies?
- How do they control access to your company’s information?
- How often does the company review their security practices, even at the level of a client account?
- Are their cybersecurity measures audited by an outside organization?
- In the case of a security breach, hacking or other data-related issues, what is the company’s standard response time?
- What internal and external support resources does the company have in place to help respond to any data breach or related issue?
- Does the company carry cybersecurity insurance?
- Will the vendor share financial, legal and labor risks in the event of a breach?
2. Involve IT in Your Partner and Vendor Reviews
When making a major business deal, many companies include multiple people in the process to ensure they make a sound decision. In fact, the Corporate Executive Board recently reported that B2B buying processes often include 5.4 decision makers. Within these consultants, does your IT department play a role in your buying process? All too often, buying decisions that include an IT component or require handing over critical data to a vendor don’t include your IT team in the process. After a partnership has been decided upon, your IT team may quickly discover it poses significant security risks or issues for your business. Yet at this point, it may be too late to fully solve the problem.
For example, on the surface, hiring a marketing agency doesn’t necessarily have a significant cybersecurity risk. However, the agency may store confidential files on their servers or use social media tools to connect with your public-facing accounts. It’s important to assess any risk and carefully manage it by evaluating their file security protocols and understanding how they manage their own cybersecurity – and what steps they’re taking to safeguard client information. Having a knowledgeable person from your IT team ask the right questions early on in discussions can help you assess when there are potential cybersecurity risks at play.
3. Build Security Expectations into Contracts
Make sure your vendor and partner contracts outline what you consider to be an acceptable level of security protocols. For example, if a third-party partner has stated they undergo annual security audits, ensure that continuing compliance is part of your contract. If a vendor states they carry a certain level of cybersecurity insurance to help mitigate the risk of any breach, build that into your contract as well. Including both your expectations and the vendor’s commitments in the contracts and service level agreements you sign will help keep the right security measures in place.
4. Conduct Ongoing Partner and Vendor Security Assessments
While it is important to evaluate the security investments of prospective partners, it is also important to look at the companies you’re currently working with. As your business grows, it is vital that you continue evaluating and investing in security. Asking security-related questions about existing partners can be an integral part of that strategy. There are numerous ways to conduct these evaluations: surveys and security questionnaires, site visits, focus meetings to discuss security practices, access reviews and outside independent audits. However, many mid-sized organizations simply start by scheduling a direct meeting with their partners and vendors to discuss what measures are in place and identify potential areas of concern. Embracing a culture of ongoing security evaluations will help keep your information safe and secure. In February 2017, for example, SecurityWeek reports that 94.1 million security threats emerged in a single month. Ongoing security assessments are essential to keep up with the volume of threats that are emerging.
The level of security used by third-party partners is a crucial part of your overall security strategy. Make sure you prioritize security when evaluating your current and prospective partners and vendors. When it comes to new partnerships, ensure your contracts reflect all of the security agreements discussed during the buying process and that required industry compliance requirements and certifications that apply to your business are in place, e.g. HIPAA/HIGHTECH, FINRA, and PCI/DSS. As today’s complex cybersecurity environment requires partners to have access to your network and to retain critical, sensitive data, it is crucial to the success of your business to strictly monitor your overall security.