Four cyber security questions when considering your vendors

How companies can determine that their vendors are cyber-secure

 

4 minute read

Key takeaways

  • Vendors have more frequently become targets for cyber criminals attempting to breach the companies they serve
  • Failure to maintain appropriate vendor controls can have long-lasting consequences, from service interruptions and regulatory violations to financial loss and reputational damage
  • Companies can mitigate risk by setting meticulous vendor-selection standards and conducting continuous and disciplined oversight

 

1. Whose job is it to assess vendor risk fundamentals?

Company decision-makers must assess their risks before outsourcing with meticulous review of the providers’ people, policies and technology. Before vendor discussions begin, you should have a clear sense of how and where data flows, regulatory considerations, data protection and recovery plans. 

"Businesses of all types are relying on third-party services to stay competitive, but many are worried about the security risks that accompany these relationships.”

 

2. How do you set the terms of service and security?

 

A thorough service contract details your company’s requirements and risk parameters can provide a protective framework for the vendor relationship. Before signing any agreement, you need to ask questions about risk within the vendor’s environment and make sure that regular reviews and reporting will be a part of the core service.

In a global survey, 84% of companies experienced a third-party risk incident in the last three years.1

3. What can help ensure vendor compliance?

Independent reports, conducted by outside parties like the American Institute of Certified Public Accountants, can provide an extra layer of oversight and an assessment of trustworthiness and diligence. Some companies ask their vendors to comply with remote audits. Others may request automated reports or that the vendor adopt controls to enable real-time monitoring.  But as with any other element of digital operations, even automated tools are of limited efficiency if the people deploying them are not responsive. In an emergency, the most reliable quality indicators may be whether or not the vendor immediately picks up a distress call and rolls out an efficient response.

 

 

4. How do you gauge trustworthiness?

Some decision-makers look at a vendor’s people-oriented skills as a gut check before narrowing the search for the right third-party service provider. Any vendor that touches a company’s networks and most valuable data will need to demonstrate trustworthiness, a willingness to understand a client’s unique needs and accountability in terms of contracts and reputation.

In an emergency, the most reliable quality indicators may be whether or not the vendor immediately picks up a distress call and rolls out an efficient response.

 

1 Deloitte, Third-Party Risk Management (TPRM) Global Survey, 2020.