Maintaining your company’s data security is an essential practice, especially if you’re working with a third-party vendor. Whether you’re looking to add a cloud service like Google Workspace or Microsoft 365, or thinking about adding another type of third-party extension to your workflow to improve efficiency, reduce overhead costs, and alleviate resource constraints, adding an external source to your organization can unexpectedly expose your organization to a multitude of risks.
And, without knowing how a vendor protects the sensitive data you’re trusting them with, you could be sending your data into space with little to no ongoing oversight.
The number of data breaches attributed to third-party vendors is striking:
- In the past 12 months, 80 percent of companies had a security breach that stemmed from vulnerabilities with their vendor system
- 2018 Ponemon statistics show that at least 56% percent of organizations have experienced a data breach due to a vendor’s security shortcomings
Additionally, not enough companies are reviewing and understanding the criteria for breach risks when it comes to third-party vendors:
- Around 29 percent of companies say they have no way of knowing if a security risk happens with a third-party vendor
- Only 32 percent routinely review their vendor’s cyber risk
While some third-party vendors are designed to help you secure and protect your data, that isn’t always the case. There are several factors to consider before working with a new company. Read on to understand how to vet third-party vendors, risks, and how to keep your company’s data secure.
How To Vet Third-Party Vendors
Before getting started with a new vendor, it’s in your best interest to review the tool or service and asses if they’re an appropriate match for your company. Here are a few steps you should take when considering a third-party vendor:
1. Understand the Product and Classify the Risk
While reviewing a vendor, you need to thoroughly understand the service provided and how much sensitive data will be shared.
You should also take into account how much access and control of data the vendor will have, and if it’s acceptable and appropriate to your company. You’ll need to classify the risk in regards to sharing your data with the vendor.
A few different types of risk to think about are cybersecurity risk, compliance risk, reputational risk, and financial risk:
- Cybersecurity risk: Take a look at the vendor’s cyber security policies and procedures, and how they handle security threats. If there are critical vulnerabilities in their system, you may want to reconsider working with them.
- Compliance risk: This refers to the risk of the vendor violating any governing laws, regulations, or noncompliance based on internal and external policies and procedures. For example, a violation or security breach of HIPAA information by a vendor could result in a major issue.
- Reputational risk: Your company will need to think about the reputational risks if a breach occurs. This means potential negative public perception of your company, which can also result in client dissatisfaction and complaints.
- Financial risk: This risk refers to if a third-party vendor can perform the expected duties and obligations under a contractual financial agreement with your company. Understanding the vendor’s financial ability and standing can also help you gauge financial risk.
2. Utilize Security Assessment Tools and Templates
Once you’ve classified the risk and understood the vendor’s service, the next step is to assess their security. This can be done through various digital assessment and questionnaires. You can utilize these tools and templates to create a customized questionnaire for third-party vendors:
- Shared Assessment’s Standardized Information Gathering Questionnaire Tools
- Qualys Security Assessment Questionnaire
3. Ask Security and Risk Assessment Questions and Request Documentation
Whether you send a vendor a formal questionnaire or speak with them over the phone, be sure you have an informed understanding of the vendor’s security capabilities, and any shortcomings. When reviewing a potential vendor, it can be helpful to request additional documentation and verification, and questions about the following:
- Industry certifications (like SOC2)
- Business continuity and disaster recovery plans
- Information security policy
- Do they encrypt data when in transit and at rest?
- What are their hiring practices
- Do they perform assessments on third parties they work with
What Happens When You Don’t Vet Third-Party Vendors?
Without knowing the security measures your third-party vendor takes, your data is vulnerable. And while most companies are able to recover, security breaches should be avoided at all costs.
Improper vetting can result in the following data breaches:
- Phishing attacks: Third-party vendors may be targets of phishing attacks, meaning employees that download resources from unverified sources — masked as your vendors– may also open themselves up to phishing attacks, too. In April 2020, Beaumont Health suffered a phishing attack after employee email accounts were compromised by a malicious actor. Over 112,000 employees and patients had their personal and medical data exposed.
- Malware: If a third-party vendor is hit with Malware, your data can be locked along with it. In 2014, Code Spaces, a source code hosting service with project management tools, suffered a massive DDoS cybersecurity attack which destroyed a significant amount of data, local backups, and machine configurations. Code Spaces was unable to resolve the issue and had to refund their clients, and with their credibility and financial status severely compromised, they eventually shut down.
- Inaccess to the system: It’s not all malicious. Sometimes, third-party vendors lose access to the system, and you lose your data, too. In December 2020, Google suffered a two-day partial system outage that resulted in users unable to access Gmail, Drive, Maps, and more. Microsoft also experienced significant outages in November 2020, leaving users unable to access Exchange Online.
- Data exfiltration: This happens when Malware or a malicious actor executes an unauthorized data transfer. In 2019, Quest Diagnostic had 11.9 million patient information stolen after an unauthorized user gained access through a billing collections vendor.