Eight Cybersecurity Questions To Ask When Choosing A Vendor
By Beenu Arora
Cybersecurity readiness has many benefits, but unless it is complemented with the right controls, that knowledge won’t stop malicious characters from breaching an organization’s security walls. According to a 2019 Juniper Research report, the cost of data breaches is forecast to rise from $3 trillion each year to $5 trillion by 2024.
This is particularly important for large organizations that rely on third-party services to conduct their core operations. A 2018 study by Opus and Ponemon Institute found that almost 60% of companies experienced a data breach linked to a third-party vendor.
For example, in 2019, Quest Diagnostics announced the breach of 11.9 million patients’ information through its third-party bill collections agency. A more recent example comes from digital banking provider Dave, which in July disclosed a breach involving 7.5 million users’ information. The company said the breach resulted from one of its former third-party providers.
Ultimately, data breaches result in significant financial loss and reputational loss for affected companies. To minimize these risks and losses, organizations need to be aware of third-party cyber threats and adopt new techniques for vetting their vendors and business partners. Here are why organizations should take third-party threats seriously and cybersecurity questions to ask when choosing a new vendor.
More Vendors Leads To Increased Third-Party Cyber Threats
The main challenge organizations face in managing third-party cyber threats is that their partners’ security protocols are out of the company’s direct control. Organizations invest money and skilled people to secure their information systems from data breaches, but this generally only affects their internal environments and leaves them with limited control over the security measures implemented by their service providers.
What To Ask When Choosing A Vendor
To help determine whether a potential partner takes security seriously, here are eight questions to ask yourself when reviewing a new vendor for your company.
1. Do they have a security contact or chief information security officer in place? If a third party deploys dedicated resources to manage risks and safeguard its critical information, it shows they take their security posture with the utmost seriousness.
2. Do they have industry certification, or are they aligned with an industry framework such as NIST? While industry certification may not necessarily indicate the effectiveness of third-party security controls, it does provide additional assurance about the vendor’s commitment to protecting their systems and customers’ information.
3. Do they have a mature threat management and intelligence program in place? It’s important to ascertain the effectiveness of their security controls. This can be done by reviewing independent security audit reports to assess the vendor’s vulnerability management, secure software development processes and threat management programs, such as cyber intelligence.
4. Do they allow “right to audit”? Depending on the risk profile of a third party, you may want to consider including a clause providing the right to audit the third party’s systems to ascertain their risk and exposure.
5. Do they have a mature incident response plan, including incident notification service level agreements, in place? Regulations regarding data protection and privacy have become stringent, and organizations are obligated to disclose material breaches within a specified timeframe. The responsibility of the disclosure is with the data owners and custodians, so your organization would need to work closely with an affected vendor to meet those timelines to avoid potential non-compliance or penalties.
6. Did they suffer any significant cyberattack or data breach? No organization is immune to cyberattacks; however, when an organization faces a notable breach, it’s prudent to understand the failed controls and how the organization addressed them to prevent a recurrence.
7. Are your data processing requirements aligned with the vendor’s offerings? Organizations may have stringent requirements or business needs to process or not process data in specific locations or regions. When selecting a vendor, those requirements must be agreed upon and monitored on an ongoing basis.
8. Do they have a good cyber score? It is prudent to ascertain exposure of an organization at the surface web, deepweb and darkweb to predict the likelihood of a potential breach due to their exposure. There are a number of organizations that provide cyber scoring for vendors and also allow you to benchmark them against similar vendors.