In 2013, hackers breached an HVAC provider’s network, giving them access to 40 million credit and debit card numbers from their biggest client: Target. It took years to repair the damage.
Relying on third-party vendors is necessary but still presents a cybersecurity risk. How will the companies handle your clients’ data? How vulnerable are they to being hacked? You can’t know all the answers, but you can still take steps to get a better idea of who you’re working with and if you want to continue.
The last thing you want is for cyberattacks further along the supply chain to affect your company. Here’s how to gauge a vendor’s trustworthiness and ensure your sensitive data remains safe.
1. Take Inventory
You’re almost certainly working with more than one vendor. Make a list or spreadsheet of everyone you’re partnered with before starting your assessments. You can use vendor management software to streamline the process and ensure you count everybody. This also helps you see gaps in your supply chain where a new company could come in.
2. Perform a Security Policy Review
Before engaging with a new third-party service provider, it’s crucial to analyze its security policies and procedures. Find out what measures it has in place, if any, to protect sensitive data. You should also regularly send security assessments to your current vendors to get an idea of their safety policies.
Look for information about a company’s encryption methods, backup processes and data security protocols. Does it perform regular security testing and training? Ensure it uses robust network safety measures such as firewalls, frequent updates and intrusion detection systems. Strong access controls should limit who can access and use sensitive information.
Additionally, the company should have a well-defined incident response plan. How will it react during a cybersecurity incident? Does it have a plan to minimize the damage and ensure a quick recovery?
3. Conduct a Risk Assessment
More than nine out of 10 U.S. companies have experienced a cybersecurity breach originating with a vendor. Evaluate the third party’s security posture and identify potential vulnerabilities by performing a risk assessment.
To conduct a risk assessment, you should:
- Understand the potential risks a vendor poses.
- Gather evidence to support your assessment.
- Take steps to mitigate the risks. Talk to the vendor about their security vulnerabilities or cut ties with them completely.
- Monitor and update your assessment. A vendor’s security measures can change over time, so you should evaluate the company periodically, making changes to your risk assessment as needed.
This process will clarify whether the vendor can handle various threats to your data, helping you decide if it’s trustworthy or not.
4. Check for Compliance
Ensure the company adheres to industry standards. Does it follow the SOC 2 procedure, which outlines how to manage customer data with security, privacy, confidentiality, processing integrity and availability? What about the ISO/IEC 27001 and Payment Card Industry Data Security Standard (PCI DSS)?
Lots of compliance issues are a red flag. Your company could ultimately face legal penalties if your vendors aren’t following the law.
5. Look for Data Breaches
Cybercrime is on the rise. The FBI now receives three to four times more cybersecurity complaints than its pre-pandemic level of 1,000 per day, making it crucial to evaluate a third party’s history of handling data.
Search for any previous data breaches involving the third-party vendor. What is the company’s track record like regarding data security? How has it handled cybersecurity incidents in the past? Look for any ongoing complaints or legal cases against the vendor.
6. Assess Physical Security Measures
Physical safety is just as important as its online counterpart. In 2017, thieves made off with two laptops from the Hong Kong Registration and Electoral Office, compromising 3.7 million registered voters’ data. The computers contained the voters’ addresses, names and ID card numbers.
Make sure your third-party vendor uses appropriate measures to secure its facilities. There should be surveillance cameras, access controls and physical barriers to entry.
7. Sign a Contract
Clearly outline your vendor’s security responsibilities before doing business with them. Have a contractual agreement to minimize liability and ensure everyone is on the same page. Both parties should agree to and sign a contract and adhere to all obligations within
Keeping Your Data Secure
Protecting your and your clients' personal information is crucial whether you run a bank or a simple online store. That’s why, in addition to having strong security measures in place for your own business, you must analyze your vendors’ practices along the entire supply chain.
Don’t be afraid to cut ties with companies that have lax safety standards — your reputation is on the line. You can partner with other businesses that have stronger track records. Protecting yourself and your customers lets you develop a solid track record of safety and reliability, benefitting your organization in the long run.
This article was contributed by Zac Amos. Zac is a tech writer who specializes in cybersecurity. His work has been featured on DZone, the Global Cybersecurity Alliance, Unite.AI and more, and he is the Features Editor at ReHack. Follow him on LinkedIn to read his latest articles.