Here Is Why Your IT Support Should Help Handle Your Third-Party Vendors
Dealing with IT vendors is a part of doing business. Whether you’re a partner in a law firm, COO for a construction firm or a CFO at a hedge fund, you need specialized, industry-specific technology to make sure your business is productive and profitable. While it’s easy to trust that your vendors will be able to implement and support their products, it’s another thing entirely to assume they’ll do so with your security in mind.
Sensitive data is often captured, stored and used on third-party vendor technology, and so without the right IT security measures in place, all that data could be at risk. it won’t matter how secure your foundational IT is if the specialized technology you use is vulnerable.
You already go to great lengths to train your staff so that you can trust them with the sensitive data your business uses; you should be just as confident in your IT vendors.
Are Your Vendors Putting You At Risk?
According to the Ponemon Institute, 80% of businesses agree that vendor security is important. However, only 60% take action in order to verify it. There are a number of key facts that expose the role that your vendors play in your security:
- Businesses share confidential information with an average of 583 third parties
- One-third of businesses have no vendor risk management policy in place whatsoever
- The businesses that do undertake third party risk assessments spend an average of 15,000 hours each year doing so
No matter what, your vendors are either exposing you to unnecessary risks or drawing a considerable amount of time and money from your organization as you manage them.
Have You Assessed Your Vendor’s Cybersecurity?
You can’t just hope or assume that your vendors are protecting your clients’ data – you need to find out for sure.
No matter how secure your main location is, that defense doesn’t automatically extend to the vendors you work with. As a part of your “supply chain”, vendors need to be as secure as you are.
That’s the point of Written Supervisory Procedures (WSPs). They make sure your vendors are as secure as you are. Double-check that your vendors have the following in place:
- Mandatory security controls
- Notifications concerning issues and breaches
- Accepted security settings and vendors
- Assignment of duties and responsibilities pertaining to cybersecurity controls
- Training curriculum and testing protocols
Furthermore, you should be testing their implementation of these standards. Make sure to assess their cybersecurity standards:
- Security Measures: The assessment should determine the strength of their current passwords, the validity of any firewalls in place, and any implementations of control lists that determine what users have access to sensitive information.
By ensuring these security standards are properly configured and up-to-date, their system will be that much more difficult to compromise.
- Reliable Failsafes: Despite best efforts, even the strongest security measures can be overcome, whether it’s a data breach or an unexpected emergency on your premises. An assessment will verify that they have regular backups kept at on- and off-site locations that can be relied upon in the case of any disaster.
- Documentation: Don’t leave anything open to interpretation, or left in an email that can’t be found when needed. Document all policies and expectations, and likewise, track and request any and all vendor reporting that you feel you should be in possession of for your own edification.
- Comprehensive Maintenance: If their security measures are not updated regularly they can become ineffective quickly. In the course of an assessment, you can make sure that their security settings meet industry standards, that maintenance programming is configured to operate automatically, and that any past employees have been removed from the system (a dangerous error that is often overlooked).
| Published on February 27, 2020