Keep your third-party vendors close

The next big data breach could hit your network through a third-party vendor—do you know who you are doing business with? Depending on the size of your business or organization, you may be working with third parties at multiple operational levels. Business partners, maintenance providers, and even take-out restaurants can leave your valuable network at risk. The 2013 breach of Target near the Christmas holiday occurred through the compromised credentials of a heating and air-conditioning vendor. With the addition of any third-party vendors to your organization, your risk management burden increases. Consider that a major supplier of yours is served by a network of vendors. When the supplier is added to your platform, anyone with access to their network could prove a security risk. In a regulated industry, your organization is responsible for compliance. This means identifying vendors and formalizing best practices to ensure all parties understand the requirements and risks. In guidance offered by PwC, the steps to effective risk management include:

  • Before contracting with a supplier or service vendor, perform a background check and appropriate due diligence to confirm the vendor is solvent and capable of assessing and addressing threats
  • Prepare contracts that reflect the risk and compliance requirements for vendors, and their workers or sub-contractors
  • Define the internal personnel responsible for obtaining and maintaining compliance information and obtaining certifications and risk audits

Be sure to standardize the definitions and procedure around onboarding vendors and business partners throughout your organization. Identify the points of vulnerability and use a secure platform to ensure compliant access management. Vendor risk management remains active throughout the lifecycle of a vendor with your company. Whether you work with only a few vendors, hundreds, or thousands, your network is only as safe as the security practices of your weakest partner. Know your third-party vendors—and know what they are doing to protect your organization from threats.