Deloitte published a report recently, noting that “the market is currently underinvested in the area of vendor management, particularly when it comes to tools, methods and processes.” This same report also noted that businesses are increasingly outsourcing functions. As vendors have become more important in the day-to-day functioning of businesses, companies need to ensure that their data is safe on these third-party networks.
For organizations that are just getting started with a formalized vendor risk management (VRM) program, BitSight Technologies has prepared a list of the do’s and don’ts of sharing sensitive information with vendors.
Working with Third-Party Vendors
Click through for a list of the things you should and should not do when sharing sensitive information with vendors, as identified by BitSight Technologies.
Do Understand the Value of Your Data
Do understand the value of the data to your organization prior to allowing any third party to access it. Being able to differentiate data that is highly sensitive from data that is only moderately sensitive is an important step — and you’ll need to be able to draw those conclusions before a vendor has access.
Do Create Security Expectations
Do create security expectations for your vendors, describing how they should secure your data. These expectations shouldn’t be casually mentioned at the beginning of a business relationship, but rather cemented into your vendor contract. Make these expectations legally airtight, so your mind — and the minds of those in upper management — can rest at ease.
Do Establish an Incident Response Plan
Do establish an incident response plan. Having a procedure for your third party to notify you in an event of an incident affecting their organization and/or your data is most certainly a best practice. This is a written procedure that is usually referenced in the contract and developed by the third-party organization. It outlines who the third party is to contact if a security breach does occur. The first party is responsible for ensuring that the vendor has the right procedures in place, accurate contact information, and a clearly established timeline of when that communication will happen.
Do Share Only the Minimum Information Required
Do share only the minimum information required for your vendor to meet your objectives. If, for example, your vendor will be monitoring your HVAC system remotely, you’ll want to ensure that they only have access to the part of your network that controls HVACs, and virtually nothing more. Such access management could have saved Target from its massive, highly publicized breach that affected the personal information of over 110 million customers.
Do Continuously Monitor Third-Party Contractors
Do continuous monitoring of your third-party vendors and contractors with respect to cybersecurity. Even if you put your vendors through all kinds of audits — which you should — you still don’t know what is going on in their network on a day-to-day basis. Continuous monitoring software helps you keep an eye on all your vendors, so you can make better, data-driven decisions.
Don’t Create Generic Security Expectations
Don’t create a generic expectation for security. You’ve probably heard of companies requiring their vendors to provide an “adequate” level of security. This is not a good practice, because “adequate” can be interpreted many different ways. You have to be clear about expectations in regard to security if you want to decrease your chances of third-party security issues. Ideally, you should cite an industry standard like ISO27001, NIST800-53, or the PCI data security standards.
Don’t Allow Access Without Proper Assessments
Don’t allow third parties to access your data without doing proper assessments. Understanding the cybersecurity posture of your vendors can be a painstaking process. It should involve a combination of questionnaires, on-site assessments, technical assessments, and near-constant communication. If you take care of your pre- and post-contract due diligence, you’ll feel far more prepared for them to gain access to your data.
Don’t Let Everyone Have Access to Your Data
Don’t let everyone in the third-party organization — or your organization — have access to your data. This is a pretty simple, but important concept. Your organization should clearly establish which individuals at a vendor company have access to your data. Consider putting controls in place to help guard entry to your data, so it isn’t easily accessible. Privileged information should only be available for a select few individuals who need access for a very good reason.
Don’t Allow Access from Unapproved Devices
Don’t allow third-party users to access your data using unapproved devices. Anyone accessing sensitive information should be using their work-approved computers on approved networks. If someone decides to access your information on a personal laptop at a coffee shop, your organization can’t adequately monitor usage — and the likelihood of someone gaining access to your “crown jewels” is far more likely.
Don’t Provide More Info than Necessary
Don’t provide vendors with more information about proprietary products or information than they need. In other words, make sure you’re properly addressing the risk involved with your supply chain. Let’s say your organization is designing a really sensitive smartphone, and you decide to work with a vendor who can supply you with specialized screens. That particular vendor does not need access to all of your sensitive phone design information and data — they just need the specifications that will help them successfully create the phone screen. It cannot be overstated how important it is to protect your most sensitive data and information.
One Final Point
Do make sure you use this list as a starting point – don’t only rely on this information to ensure that your data is entirely secure! The hope is that these suggestions provide you with a great place to start or affirm you’re headed in the right direction in regard to IT risk management — but they can’t replace thorough vendor due diligence. Make sure you do your homework!
