More and more companies today operate in the cloud, sharing their data on a daily basis with vendors, partners and customers. As previously covered in this blog (Ebook: Why Your Organization Needs to Start Thinking about Third Party Security), the frequency and size of data breaches are on the rise in part due to an increasing reliance on SaaS technologies. Because of that, the information shared with third party vendors can be at risk.
Executives are aware of the issues that can result from working with third party vendors; however this doesn’t always translate into additional resources or priorities for their Information Security teams. As the company works to protect sensitive information while doing business with third party vendors, these five steps can help raise awareness with the leadership team of the threats that third party vendors can pose.
1. Access or Build a Third Party Vendor List
At any given time, organizations should be able to review a complete list of all vendors and their services. If that is unavailable, building that list should be the first priority.
2. Know What Information Vendors Are Able to Access
Organizations should know what sensitive information or applications third party vendors have access to. Using that data, the aforementioned vendor list can be categorized by inherent risk. Often, organizations find a few surprises in the form of added tools or who has access to highly sensitive data, such as employee or customer data, or any other data type classified as risky or confidential.
3. Match the Assessment Process to the Risk Level
When an organization sets out to design an assessment process, it should match that vendor’s risk level. Customize the security questions, documentation requests and recurring assessment based on the vendor’s risk-level. That also means saving the team from having to sift through information that is irrelevant due to unnecessary due diligence. Even low-risk vendors require re-assessments. Security postures and product use-cases can change, so don’t ignore vendors under the assumption that they were reviewed once in the distant past.
4. Don’t Forget New Vendors
Companies add new vendors to their third party list all the time. Make sure there is an ongoing process to gather their information and data access. This can be made easy by involving the security team early in the procurement process. Usually, the employee leading the purchase process has the information needed to conduct an initial analysis of inherent risk and the level of assessment needed. This prevents having an ever-growing list of vendors to assess and the challenge of staying in front of that list. Also, make sure to choose a central repository to store all of the security-related data from previous assessments where you can easily access it.
5. Start With A Few Key Leaders
Work to select a few key leaders to meet with to gain more organizational buy-in. Protecting sensitive company data is everyone’s responsibility, however company wide engagement can be difficult. Finding a few leaders to get on board can be the key. Meet with these leaders and educate them on what security reviews entail, how to speed up the process of assessing a new vendor and the risks involved with third party vendors. Focus on that last piece. The more they understand the potential risk, the more buy-in they can give.
Is the Organization Prepared?
Third party vendors should be a benefit to the organization, increasing the speed with which they do business, not a risk factor. There are ways to manage security assessments that will ensure the Information Security team is always in the know. Taking an inventory of the ways in which the organization currently manages third party vendors and reviewing how to implement the suggestions proposed above, will help to manage overall risk more effectively and protect the company, the employees and the customers.
Learn More
Interested in learning more about why third-party security is critically important? Download and read latest e-book.
Located in the heart of the Silicon Slopes in Utah, Whistic is a leading third-party security assessment platform. Built for information security teams looking to improve the effectiveness, efficiency and scope of their third-party security assessment program, Whistic enhances productivity and unlocks insights traditionally trapped in static security questionnaires. Using the platform’s intelligent and automated recurring assessments, Whistic customers eliminate the administrative burdens of back-and-forth third-party requests and free up time to focus on security. The Whistic platform is designed for an intuitive and collaborative user experience and harnesses the wisdom of hundreds of security professionals to deliver risk insights through its proprietary CrowdConfidence scoring algorithm.
For more information, visit https://www.whistic.com, read the latest on the Whistic blog or follow Whistic on Twitter.
