Vendors carry unique risks; here’s how to address them
Remember the TV show The Weakest Link? Running from 2000 to 2012, the show enjoyed quite a bit of popularity back in the day. Host Anne Robinson’s catchphrase “You are the weakest link-goodbye!” even became part of the cultural lexicon for a moment in time. A business’s cybersecurity strategy will inevitably have its own weakest link. No matter how well designed it is, no system is invulnerable to attack. For many businesses, vendor relationships are the weakest link. There are numerous reasons for that, ranging from third-party data access to weak authentication methods. Let’s explore how you can fortify these relationships and ensure you and your favorite vendors never need to say “goodbye.”
Vendors: a beneficial but potentially risky relationship
A good vendor relationship can be highly beneficial, bringing cost savings, expertise and innovation that can translate into lasting competitive advantage. However, there is no question that vendors can introduce security risks for a business. One of the most significant is the potential for data leaks. If a vendor doesn’t have good security policies but has access to a business’s critical systems, that can be a potential attack vector for criminals.
But that’s just the tip of the iceberg. Vendors may use third-party tools with security gaps, rely on weak passwords, or fail to meet title industry security standards. Lastly, in the event of a security incident, a vendor may not have a dedicated incident response plan, which could lead to a disruption for your business.
Simple, straightforward security steps can help
While these risks are no doubt significant, there are a lot of simple steps you can take to make your vendor relationship more secure. The most important one is also the most obvious. Only give your vendor access to the systems and data they need to meet the conditions of your service agreement.
Beyond access control, there are several other precautions to take. It is wise to lay out cybersecurity roles, responsibilities and expectations at the start of any vendor engagement. Clear expectations help vendors handle your data responsibly, respond to incidents, and uphold security policies.
You and your vendor should also be on the same page on how you will respond if a security breach unfortunately does occur. Planning ahead can minimize disruptions and long-term damage to your business. Of course, all this hinges on first developing a trusting dynamic with your vendor. If you don’t communicate openly and transparently, it becomes much more difficult to collaborate on security goals and grow together.
Lastly, it is always a good idea to conduct regular security check-ins with your vendors. This is a good way to remain aware of the systems and data your vendor has access to. These meetings can also be a time to quickly and efficiently communicate any changes in your cybersecurity strategy.
The role of vendor security agreements (VSAs)
One of the best ways to make sure you are taking the precautions outlined above is by putting together a comprehensive vendor service agreement (VSA) at the beginning of a new vendor engagement. VSAs are a critical tool for managing security risks in third-party relationships, including data protection protocols, compliance and responsibilities in the event of a breach. Other provisions that are often included in a VSA encompass access controls, encryption requirements and multi-factor authentication (MFA) policies.
Additionally, a good VSA should include your agency’s incident response framework. If you’re considering developing a framework, detail how quickly a vendor must notify you of a security event and clearly list what steps they must take to help fix the issue. This can be an especially important provision. Data shows that the timeline from when an average vendor discovers a security problem to when they notify their client is often quite long. But it can be reduced when there is a contractual obligation to notify.[i]
Lastly, businesses should also explicitly define in their VSA how they want to approach periodic security audits for their vendors. It is perhaps the most effective strategy for ensuring alignment with evolving cybersecurity standards.
Toward an ever more productive and profitable partnership
It is a rotten feeling when a vendor causes a security incident, and you must deliver an Anne Robinson-style dismissal. With a little extra work, however, you can secure these relationships and help prevent security incidents before they start. When your vendor partnerships are safe, an even more productive and profitable dynamic becomes possible.
[i] https://www.jdsupra.com/legalnews/dramatic-increase-in-the-number-of-9184679/
