Best Practices for Vendor Cybersecurity

Your security may only be as strong as your weakest vendor. Every vendor you work with that has access to your physical location, your systems, or your data represents a potential security risk. Unfortunately, the latest statistics show that 98% of organizations have at least one third-party vendor that has suffered a data breach. 

So it’s no longer sufficient to only take stock of your own organization’s cybersecurity. It’s becoming incredibly important to understand the policies and practices your vendors are using as well, and if necessary, revise your business partnerships accordingly.

Common Vendor Security Risks

No man — and no business — is an island! We all require business relationships to augment our capabilities and increase efficiency. However, the more a vendor is integrated into your systems and processes, the greater the risk. 

Here are just a few examples of the risks multiple vendors could bring to your organization: 

• Data breaches through the vendor's compromised systems
• Unauthorized data sharing 
• System downtime or disruptions caused by integration issues between two vendors’ systems
• A sudden unplanned termination of the vendor’s services 
• Vendor non-compliance with required regulations 
• Compromised vendor credentials 
• Hidden malware in vendor software
• Vendors whose actions could damage your reputation

What Is Vendor Management in Security?

Vendor management is a process of assessing and minimizing the risks associated with any vendor that has access to your organization's data, systems, or facilities. 

In broad strokes, ongoing vendor management tasks include: 

• Maintaining an up-to-date list of every vendor you work with, categorized by the sensitivity of the data, systems, and locations they can access
• Assessing the risks each new vendor represents 
• Investigating their cybersecurity tools and policies before a partnership, and at least once a year as long as you continue to work with them
• Maintaining up-to-date security requirements in your vendor agreements
• Establishing procedures for handling vendor-related security incidents

Recent Vendor Security Disasters

Just this past year, the ransomware attack on Change Healthcare illustrated just how vulnerable our healthcare system is to vendor-related cybersecurity incidents. 

Change Healthcare provided technology that helped clients process insurance claims, prescriptions, and other tasks. When it was attacked, its shutdown affected almost every hospital in America — a winning strategy for cybercriminals. After all, why hack hundreds of hospitals separately when you can hit one vendor that serves them all?

It’s also important to note here that these types of risks aren’t exclusively associated with a vendor’s cybersecurity. The Crowdstrike glitch that disrupted air travel as well as day-to-day business around the world was due to a faulty software update. 

The Good News About Vendor Cybersecurity Assessment

If your business provides services to other organizations, I do have some good news for you! 

As more organizations get smart about vendor risk, your cybersecurity can become an important selling point. If you take your cybersecurity seriously — like requiring multifactor authentication on all accounts — it can help you win more business. And as more businesses take a good, hard look at their vendors’ cybersecurity, many of them will be reevaluating longstanding partnerships and opening up opportunities for more responsible companies.

Cybersecurity Vendor Risk Management Tips

Here are a few additional tips to help both vendors and business partners simplify risk management:

5 Pro Tips for Vendors

1. Use the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (or our simplified checklist) to make sure you’re following best practices
2. Highlight any security-related certifications (like a SOC report) your organization has achieved
3. Limit access to any sensitive databases or systems to minimize risks and potential impacts on your clients
4. Verify that your policies and tools are being followed by your staff and any business partners 
5. Address any cybersecurity concerns your business partners may have as soon as possible

8 Pro Tips for Business Partners

1. Clearly communicate with any business partners about your cybersecurity requirements
2. Reevaluate your requirements as cybersecurity evolves 
3. While some vendors may need a bit of time for remediation, be prepared to end business partnerships with those who don’t take security seriously
4. If you have a cybersecurity insurance policy, review your coverage for incidents that originate with vendors
5. As you negotiate contacts, define any incident response and notification requirements, as well as clear exit strategies and data return procedures
6. Implement network segmentation to contain vendor access 
7. Maintain and review detailed logs of vendor system access 
8. Maintain relationships with backup vendors in cases where a sudden disruption would have a severe impact on your organization

Additional Help With Vendor Risk Management and Cybersecurity

Need help creating a vendor cybersecurity assessment? Every business and business partnership will have different risks. But the Vendor Security Alliance compiles two free questionnaires, which are updated every year. You can download both here. 

As a comprehensive technology provider with extensive cybersecurity resources, we’ve helped businesses address cybersecurity gaps quickly in order to preserve key client relationships. We also work with a number of clients to minimize the risks that a vendor — even a well-intentioned one — could pose to their business. 

Vendor due diligence isn’t one-size-fits-all, but we’ve put together some sample vendor due diligence questions and additional resources in a recent blog. Click the explore this topic in greater detail!