Proper security involves more than just making sure your own ducks are in a row. It also extends to any organization that’s providing data to you, has access to your system, or has sensitive information that you’re sharing. Your partners could be a problem for the data you’re responsible for protecting.
It’s vital to your own security to vet your vendors. The backbone of your compliance program depends on it. Target lost nearly half their profits in a single quarter after a very public data breach. The attack was successful not because Target’s security was poor, but because an HVAC vendor wasn’t prepared.
Let’s take a look at how you can be more confident that your vendors won’t set you up for a nasty surprise.
Who Should You Vet?
Vet any organization that has physical or electronic access to sensitive information — credit card data, medical data, personally identifiable information, intellectual property, and any data your customers require you to protect. Vet any vendor that would have access of any kind to that data. That could include cleaning services, a letter envelope mailing company, an email or CRM vendor.
That includes vendors you’ve done business with for years. Just because you’ve never had an issue with them doesn’t mean you couldn’t have one at some point. Past working relationships don’t guarantee future security. Review your existing vendors annually, and evaluate your new ones before you hire them.
If you’ve never vetted your vendors before, the simplest way to start is to go to your Accounting Department and ask for a list of everyone you’ve paid in the past year.
Who Should Do the Vetting?
The best person to vet your vendors for security is a security professional. Don’t leave it to your CEO or an IT person. If you don’t have an internal security expert, get some outside assistance from someone who knows that arena. Your people will learn over time, but it’s critical to lean on the expertise of security professionals. If you don’t know where to start looking, TCT can point you in the right direction.
Likewise, rely on legal experts to review vendor agreements. Over time, you may build the internal knowledge to feel comfortable reviewing the documents yourself, but if there are any questions, you should certainly seek outside legal counsel.
Make sure whomever you use is familiar with the cyber arena (not the business contract lawyer you’ve had for years). If you need a referral, TCT can connect you with someone who can help. We’ve helped connect businesses with vendors that will do a good job for years. We don’t take referral fees as we’re seeking what’s in your best interests, not ours.
Review the Compliance Report
The simplest way to start your vetting process is to review your vendors’ compliance reports. Don’t simply receive the report and shelve it — read it. Based on more than a decade of consulting experience, my hunch is that most companies don’t even read their vendors’ reports. They have the piece of paper in their hands, and they trust that it covers their needs.
The devil is in the details when it comes to a security report. Let’s say you have a vendor that’s an internet-based mass distributor of products. They give you paperwork for their security and compliance. You file it away, and you don’t look at it until there’s a problem. When you pull it out and review it, you discover to your horror that the paperwork covered their storage facility in Kentucky. It has nothing to do with the ecommerce side of their business — the part that’s relevant to you. Or, the paperwork is for ISO 9001, which has nothing to do with internet security.
Read every document, and look for the following things:
- Date of the report. Make sure it’s valid and that the assessment has been performed within the past year.
- Scope of the engagement. Does it match the services that the vendor will be providing to you? I have had more than one client with vendors that supplied paperwork that had nothing to do with the services provided. In many of the cases, they accidentally sent the wrong report — but in about half of the cases, the vendor simply assumed they were fully compliant when they weren’t (or they were being deceptive).
- Certifications they’re subject to. Some standards are more prescriptive than others. For example, PCI doesn’t simply stipulate what you need, but how it should be implemented. HIPAA, on the other hand, allows you to determine for yourself how you will fulfill each requirement.
- Processes. If they’re using a less prescriptive standard, take a look at the details of the security report. What controls are they using? How are they addressing issues? Does the approach make sense? Just reading how they’re fulfilling various line items can be very insightful to how seriously the vendor takes security and compliance. Are they going above and beyond, or are they just doing the bare minimum?
- “Not Applicable” statements. As an extreme example, if your vendor deems penetration testing and vulnerability scans as not applicable, that should raise some eyebrows. What explanations did they provide for anything they deemed N/A?
- Locations. Make sure the paperwork covers the facilities you’ll be leveraging.
- Noted exceptions. Compliance reporting from the Assessor or Auditor may call out exceptions that were discovered. Often, the exceptions will be accompanied by a management explanation of the exception and the things they’ve done in response. Ask sensible questions about those exceptions.
Talk to the Right People
Never trust a salesperson’s guarantee about security — not because they’re untrustworthy, but because they rarely know anything about security and compliance. If you have questions that arise from the security and compliance report, talk directly to the person who is responsible for security and compliance at that company.
When you talk with a vendor’s security point person, get a feel for their level of expertise in this area. It’s not unusual to run into people who have been put in charge of cybersecurity simply because they’re the head IT guy or because they’ve “done an audit” before. IT and cybersecurity are two different things, and an IT professional is usually not equipped to deal with security and compliance issues at a deep level. Make sure they have a background in security and compliance, and that they’ve been at it for a number of years.
Review the Vendor Agreement
It’s important to go back to your written agreement on a regular basis and take a look at it with a fresh pair of eyes. Make sure they’re taking responsibility for the things they’re responsible for — your data, your product, your intellectual property, etc. Do they have a clause that says they will maintain their security and compliance? Review any confidentiality clauses, and anything else that should be in there to protect your company.
Don’t Do This!
One thing to note: you can use automated questionnaires that are available for vetting vendors. Don’t use them. They won’t be customized to meet your vetting needs, and they usually ask for more information than you need. That puts undue burden on the staff of your organization, and your vendors.
Some of these questionnaires even request information you have no business seeing. For example, some will ask for the actual data results from the latest penetration test. Or they’ll request vulnerability reports directly from the scan engine. Those reports contain sensitive internal information that no external organization should have the right to request.
Overwhelmed? We’re Here To Help.
Vetting your vendors is an integral part of a robust security program, because your security is only as strong as the weakest link in the chain. If you need a security professional to help you, TCT can make it easy!