Sourcing Responsibility to Vendors Could Be Your Biggest Mistake

Today, most businesses rely on third-party vendors and service providers to outsource business processes. For small businesses especially, this practice is the norm for good reason. Vendors can cut costs and increase the efficiency of your company significantly, giving you the freedom to focus on what you do best at the lowest possible cost.

Still, this practice comes with its own set of drawbacks, particularly when companies confuse the outsourcing of business processes with the outsourcing of security responsibility. As a result, they’ve created massive security vulnerabilities. In fact, one recent study by LinkSource and Ponemon Institute found that 51% of organizations experienced a data breach as a direct result of a third party. 

While the blame may lie at a vendor’s feet, your angry customers won’t see it that way. More than likely, you’ll bear the brunt of the backlash. The aftermath of recent data breaches only prove this point—when massive third-party breaches occur, the company ends up shouldering the responsibility, not the vendor. And that responsibility comes with a high cost, with third-party breaches costing companies an average of $7.5 million to clean up. 

Unfortunately, you can’t simply wash your hands of your vendors’ security problems—no matter how much you may want to. You need to take every part of your business’s safety, no matter the size, into your own hands. Take these five steps to get started:

1. Start with the contract. A contract between you and your third-party vendor is a great start, but you need to be very clear about how it will be enforced and monitored. Ask, “Is this done on an ongoing basis?” “What are the service-level agreements?” and “How are they tracked?” Determine whether your organization has a process or mechanism to inventory your vendors and service providers and require these third parties to complete a vendor security assessment questionnaire. These questions should be fully answered before you sign anything, and they should be monitored and reevaluated for compliance on a regular basis.
2. Determine your risks. Risk is often cast in a negative light. However, risk is an opportunity to optimize your business that can lead to more efficient and streamlined processes. Start by researching and cataloging the ways in which outsourcing a particular business process leaves you vulnerable. What data will the third party be processing? Can you do something on your end to protect yourself? What are your vendors doing to ensure the safety of your data? If you know what’s at risk, you can identify the best way to protect it.
3. Take an inventory of your vendors. According to the same LinkSource and Ponemon Institute survey, more than half of organizations do not have a complete inventory of all third parties with access to their data and network. Keeping an inventory of third parties is a critical part of access and identity management in your network. Within that inventory, rank the level of risk each vendor brings your organization based on the access they have to your network. To get started, survey your department heads to see which vendors are being used in each department and how they’re being managed. While IT certainly plays an important role in vendor management, it’s not just an IT issue. Every department must play its part. 
4. Create a workflow. Establish workflows within your organization to manage and address third-party risks. For instance, mapping out the workflow with a responsibility assignment matrix can help you figure out what your employees’ roles and responsibilities are in terms of managing vendor security.
5. Find the right tools for the job. You don’t have to develop your own risk management tools, especially if you’re short on time and resources. As vendors continue to play a bigger role in the small business arena, more and more vendor management tools and services have sprung up. 

Organizations like ISACA and programs such as the Shared Assessments Program have created suites of tools to manage vendor risk and ensure compliance. A governance, risk, and compliance tool will help you manage your processes and policies to ensure they’re being followed.

A virtual chief information security officer (vCISO) can be another valuable asset to your business when it comes to managing vendor risk. A vCISO can help to create and implement a secure vendor management program, find the right tools for your specific company, and manage vendor risk assessment questionnaires. This is a particularly great option for companies that may be too small to hire a full-time CISO or manage third-party vendors on their own. 

Whether you’re conducting your business in-house or through a third-party vendor, the security responsibility will always lie at your company’s feet. By monitoring your vendors and consistently reassessing how they’re being managed, you can ensure the security of your vendors and the safety of your employees and customers.

This post was originally published on SCORE.