house of cards on a wood table, connoting instability
PHOTO: shutterstock

Have you been enjoying all of that restful sleep you’ve been getting since you established a digital policy program for your organization? Well, get ready for a new nightmarish reality: All of your security protocols are absolutely worthless as soon as you give a vendor access to your internal systems or choose to move your data and processes into someone else’s systems.

Oh, you did your due diligence and thoroughly vetted them? But what about their vendors? And their vendors’ vendors? Because any weakness on the part of vendors becomes your weakness, too.

Just ask Target. The fact that its infamous breach of 2013 was traced back to credentials stolen from an HVAC vendor did little to shield it from the ramifications. (There are also questions, of course, about why an HVAC vendor would have access to critical customer databases, but you already addressed cordoning off sensitive information in your own digital policies ... right?)

The Target breach was far from an isolated incident. One recent survey found almost half of the responding organizations said they had experienced a “significant, business-altering” breach that could be traced back to a third-party vendor.

Limogés Jewelry, for example, stored sensitive information in a publicly accessible Amazon S3 cloud bucket. That oversight exposed names, addresses, email addresses, passwords, and payment information for over 1.3 million Walmart customers. The exposed records went back as far as 2000, and Walmart wasn’t the only company affected. Limogés Jewelry’s records also exposed data for other retailers, including Amazon, Overstock, Sears, Kmart, Target and more.

The lesson learned here is you can’t assume you’re safe just because you go with a big-name vendor. Whether you’re dealing with a small startup or a firm considered to be among the best in the world, you’re still responsible for vetting every vendor in your ecosystem.

How to Safely Manage Your Vendor Ecosystem

It can be tough to enforce compliance with your digital policies on vendors so far down the chain you don’t even know they exist. But, since you and thousands of other organizations will still be in the hot seat if they mess up, it’s becoming an increasingly important topic of discussion. And the consensus so far is that the best way to work with vendors who are several steps removed is by conducting due diligence on the front end and then using your vendor contracts to cover any issues that remain.

Related Article: Losing Sleep Over Your Lack of a Digital Policy? You Should Be

Expand Your Digital Policies to Include Due Diligence for Vendors and Third Parties

If you consider the digital revolution to be the equivalent of the “big bang,” we’re now at the rapidly expanding universe stage. That means your digital policies have to expand, too, so performing due diligence when vetting your vendors means vetting their vendors, too. That can include anybody from the vendor who handles their payroll to downstream payment processors like PayPal, Stripe, etc.

I mention “digital policies” because you can’t address external party risk management as a one-off, with each functional area doing it their own way or even starting from scratch each time. Developing digital policies around vetting the entire ecosystem of prospective vendors ensures that it’s done the same way every time, that no area of potential risk is overlooked, that no rejected vendor can complain of unfair treatment, and, finally, that you have documented proof of your processes in case the unthinkable happens.

What Should Vendor Due Diligence Processes Include?

Hopefully, your organization’s digital policies already lay out the steps your own employees are required to follow when vetting vendors. In enterprise-level organizations, it’s not unusual for employees to have to initiate a vendor certification process before they can begin work with a new vendor. That certification process can include multiple rounds of vetting, depending on how much access the potential vendor would have to sensitive data.

In smaller organizations, functional areas may be responsible for conducting their own due diligence. Nonetheless, there should be an established process and workflow, with thorough documentation each step of the way.

Some of this work can be done in-house, through your own research. Other information must come from the prospective vendor. Either way, it should include getting answers to all of these questions — not just about your prospective vendor, but about everyone they do business with:

  • What is the prospective vendor’s reputation? Are they who they represent themselves to be? Are they financially stable? Do they have the resources to withstand natural disasters, civil unrest or data breaches? Have they been fined by regulatory agencies? If so, what were the violations, and have they been corrected?
  • Do they have digital policies in place, especially policies that address privacy and data security? A third-party vendor who hasn’t even begun addressing these issues represents a considerable risk to your organization.
  • Do they have penetration testing conducted by a qualified provider? If so, when was the last one, and what were the results? What changes did they make after the test? (A third-party vendor who is unable or unwilling to discuss test results should raise a big red flag.)
  • How often do they conduct access reviews, and how quickly do they remove people who should no longer have access? This is an important part of the principle of least privilege: making sure everyone has access only to data that is essential to doing their jobs, and removing that access once it’s no longer needed. Leaving active credentials in the hands of anyone who doesn’t need it is a very unnecessary risk.
  • How do they secure their data, both at-rest and during transmission? Is it stored behind robust firewalls? Is it encrypted at all stages?
  • Where will your data be stored? If it will be stored in a different country, do their laws regarding digital security play nicely with US laws?
  • Have employees been trained on security best practices? This includes things like using secure passwords and changing them regularly, immediately installing updates and patches, never writing down customer and payment information to enter later, etc.
  • How long do they keep records? Do they dispose of sensitive data as soon as it’s no longer needed? How do they dispose of it (both digital data and the physical devices on which it’s stored)?
  • What steps to they take when ending their relationship with a vendor? Do they delete the vendor’s credentials, change passwords, etc.?
  • Do they have incident reporting, mitigation and remediation protocols in place? In other words, does the vendor have the ability to detect a breach or attack in progress, and do they know what to do about it? Do they have an action plan for notifying everyone both up- and downstream?
  • What standards does the vendor maintain? There are a number that could reflect on you and your business: GDPR, PCI-DSS, W3C, HIPAA, SOC2, etc.

Again, let me stress how critical it is that your vetting processes be included in your digital policies. That’s the only way to ensure they get done every time — and to prove that they’ve been done, should questions ever arise.

What Should Your Deciding Factors Be?

That varies by organization, although I strongly encourage everyone to avoid vendors that carry a lot of baggage — or who use downstream vendors that do. What do I mean by baggage? Data breaches, inability to deliver on previous contracts, outdated digital technology or funding challenges. With that said, it’s really a matter of identifying your must-haves and your deal-breakers, and then assigning a weight to everything else. Applied consistently, that type of scoring will help you select the best vendor while avoiding complaints of unfair treatment.

Related Article: Who Is Your Weakest Link? The Risk of Cloud Partners

Revising Your Contracts and/or Vendor Agreements

Once you’ve done your due diligence and made your selection, it’s time to take another look at your standard contracts, which may not have been updated to cover today’s digital risks. In addition to referencing your vetting process and stating that the vendor has been selected based on the assumption that they will continue to meet your standards, you may also want to include a couple of other sections:

Indemnification

Depending on the geographic locations where you and your vendors are located (or the jurisdictions whose laws your contract specifies will be followed), you could require a vendor contract include an indemnification clause that states you are not responsible for any breaches that occur due to a third party’s negligence. Depending on your vendor’s contract with their downstream vendors or other third parties, any losses would then fall on them or the third-party vendor. (This assumes, of course, that you aren’t at fault in any way. Negligence on your part could void an indemnification clause.)

Consequences

Contracts should also specify consequences for your vendor should there be a breach or loss due to a third party’s actions. Such consequences could include immediate termination of your contract with the vendor, financial reimbursement of any losses you incur, additional penalties to rehabilitate your reputation or win back customers, etc. Or consider something that I like to recommend, a security bonus. For each year a vendor successfully maintains secure practices and doesn’t incur any data loss, they earn an extra 10%. Basically, they have already earned the money, and it’s theirs to lose if they follow poor practices.

Consider Buying Cybersecurity Insurance

In addition to revising your vendor contracts, it’s also a good idea to consider cybersecurity insurance. Several types of policies are available, so it’s important to read the details. Coverage options include:

  • Loss of data.
  • Fines or penalties imposed by regulatory bodies due to exposure of personal or sensitive data.
  • The costs of an investigation/forensics.
  • Hardware or network damage.
  • Lost revenue.
  • Lawsuits from individuals.
  • Costs of remediation, including things like providing free credit monitoring or reimbursing actual losses.
  • Assistance with tasks like notifying regulatory bodies and affected consumers.

As with any insurance policy, pay close attention to the wording, and have your legal counsel review it, too. There’s nothing like thinking you’re covered — and then the worst happens and you discover some sort of exemption in the policy’s fine print that leaves you hanging.

Related Article: Don't Be the Next Equifax: Tips to Avoid a Security Breach

Looking Toward the Future

Security standards and regulatory requirements are evolving at a breathtaking speed, as companies of all sizes try to keep up with rapid advances in technology. One thing we’re starting to see is vendors developing their own processes for “reverse due diligence” (also known as “managing up”). As vendors begin to receive lengthier, more specific questionnaires from prospective customers, the smart ones are developing standardized answers and making them available to anyone who may receive such a questionnaire. And some vendors are reaching out to prospective customers proactively, letting them know that they’re ready and willing to cooperate with their vetting processes.

Today’s Takeaway

Managing the vendor ecosystem in today’s world reminds me of one of those cheesy pandemic movies, where epidemiologists must work to identify everyone an infected person came in contact with — plus all of the individuals those people came in contact with, and so on. Every additional touchpoint in your vendor ecosystem introduces risks, and it’s your job to identify and resolve those risks. But in a world where everybody outsources, you can’t do it without your vendors’ help. Following these steps — every single time — is the best way to do that.