Security

5 best practices for reducing third-party vendor security risks

Benefit from experts' advice on how to mitigate your company's risk of data breaches caused by third-party vendors.

Image: iStock

More and more businesses are off-loading in-house operations to Third-Party Vendors (TPVs). The incentive? It saves money. Off-loading functions also afford businesses the ability to focus on their core competency.

However, more often than not, off-loading a function also means giving an outside organization varying degrees of access to a company's network and/or data. And as we all know, this can lead to issues.

Many of the companies experiencing issues from co-opted TPV access are outfitted with full-blown IT and security departments. One has to wonder where that leaves small business operators with little or no IT and security expertise?

Interestingly, that usually means relying on TPV consultants to help set up and maintain whatever IT needs are required, which of course means more remote access. Hmm.

SEE: The 15 most frightening data breaches

How to diminish TPV access issues

Lisa Kahn Little writing for The Business Journals offers the following suggestion: "A good vendor management program can enable a business to mitigate risks, help control costs, and drive service excellence to maximize value from their vendors."

As to what constitutes a good vendor management program Kahn Little enlists Jorge Rey, director of information security for Kaufman Rossin, to shed light on what that means.

1: Manage the selection process

The first concern of Rey is the services being considered for outsourcing. What kind of information access will TPVs have? If a vendor being considered will have access to sensitive data such as customer information or company financial records, additional scrutiny during the selection process is advised. "Do your due diligence," suggests Rey. "Take your time selecting a vendor by creating a list of possible companies, evaluating their proposals. and reviewing your requirements to find a good fit."

Additional suggestions from Rey:

  • Examine the credit history of potential vendors
  • Ask how long has the company been around
  • Determine whether the company has had any legal or financial issues
  • Look into the potential supplier's internal security practices
  • Check whether they have comprehensive information security policies and recovery plans in place
  • Ask if they perform regular data backups, internal security audits, and background checks on the employees who will have access to client data

2: Understand vendor contracts

Rey advises that contracts should be transparent, flexible, and concise. Flexibility is essential if there is ever the need to change providers. Contracts should include the following:

  • Services being provided
  • Duration of contract
  • Confidentiality clauses
  • Right to audit
  • Contingency plans

"As a business owner, it's important to understand service-level agreements, including ramifications for vendors who fail to meet them," explains Rey. "It also helps to set up next-step procedures, in case a relationship with a vendor ends."

Something else to consider: keep a copy of the contract off-site in case of a disaster.

3: Monitor vendors' performance

Rey feels it is important to ask the following questions at regular intervals:

  • Is the vendor meeting the terms of the service-level agreement?
  • Are deadlines being met?
  • Is the quality of the product or service up to specified standards?

4: Continue in-house monitoring

To catch issues early, Rey feels it is important to keep track of company financials and data security. "It's a good idea to monitor accounts payable on a regular basis and stay aware of what's happening with cash flowing in and out of your company," mentions Rey. "Establishing an information security program and implementing proper internal controls can help you detect potential issues — whether with vendors, employees, or otherwise."

5: Use vendor non-disclosure agreements (NDA)

There is a need for NDAs if the TPV has access to sensitive company data, in particular, customer data. As to why, Rey adds, "An NDA can help protect your company's critical data, which you would not want to end up in the hands of a competitor or the general public."

SEE: Tech Pro Research's Vendor Relationship Management Checklist

Additional tips about the selection process

Heinan Landa, CEO of Optimal Networks, writing for The Business Journals offers an interesting suggestion for those responsible for selecting TPVs. "After spending 24 years in the Washington, D.C., technology scene, I've come to recognize the signs of a quality provider and the red flags that should have you running full-speed in the opposite direction," writes Landa. "Many of these indicators will be apparent in the first document you receive from your would-be vendor: the proposal for support."

Landa recommends paying attention to the following:

  • Clarity: Jargon is out. If the contact is confusing, Landa suggests there is a good chance for issues down the road.
  • Personalization: The proposal should reflect the company's needs and not a cookie-cutter proposal.
  • Appearance: How the proposal is presented is indicative of the vendor's effort now, and likely in the future.

"The look and feel of your proposal are important because there is generally a direct correlation between appearance and effort," explains Landa. "This is not to say the flashiest proposal is the best, but it is to say that a few pieces of tattered paper shoved into a folder are probably indicative of a lower level of commitment when compared to a cleanly-formatted, meticulously organized, colorful, bound document.

References and testimonials

Both Rey and Landa place a lot of stock in what a potential vendor's existing clients think.

  • How do the vendor's current clients feel about them?
  • What was the onboarding process like?
  • How communicative are they?
  • How deeply do they understand both the client's network and their overall business objectives?
  • How does the potential vendor treat its employees?

Consider the irony

It might very well be that smaller organizations will not have the time or ability to set up a vendor management program. There are, however, providers offering that service. If that is a consideration, you should also think about using the advice offered here to vet their proposals and service offerings.

Also see

      About

      Information is my field...Writing is my passion...Coupling the two is my mission.

      Editor's Picks