Ostendio Blog

Are you Managing your Vendor Risk?

Written by Ostendio | Jul 20, 2018 4:42:34 PM

It’s not uncommon today for businesses to outsource certain services to third-parties. However, with outsourcing, the risks of the service organization are inherited by the company who hired them. In some cases, a third party vendor may be a crucial part of your business operations.When it comes to vendor risk management (aka third party risk management), how are you mitigating your vendor risk?

Take last fall’s third party data breaches of Sears and Delta Airlines, or Target’s massive breach. Do you know who caused those? No. You know that a “trusted brand” failed at securing your private information. And truly, the lack of third party risk management does mean the buck stops with them.

Why is such an important aspect of how we do business often overlooked? Particularly when we understand three important facts related to data security risk:

  • Systems are designed to interact.
  • Data is always moving.
  • Cybercriminals are constantly scanning for vulnerabilities and seek out the most vulnerable point of entry.

A great quote from Geoff Belknap, CSO of Slack puts it this way, “If your business makes money by collecting, hosting or processing data from others, you’re a security company. Act like it.”

Yet for up to 60% of security breaches, the most vulnerable access point is through a third party. The trick to avoiding a third party security breach is to know that your vendor partner takes security as seriously as you do. To do that you need to understand what their risk management strategy is.

You can screen out high risk third parties with a few fundamental “burden of proof” evaluations. As part of your due diligence, discover if:

  • Their security program is enterprise-wide and includes their vendor partners.
  • Every network connection is seen as a potential back door to data.
  • They know data doesn’t live in a fixed environment.
  • They have any attestation reports such as SOC 2 or certifications such as HITRUST.
  • Their security program can meet all relevant regulatory or certification requirements (HIPAA, HITRUST, FDA, NIST)

Ostendio’s MyVCM gives you – and your third-party vendors – the tools to effectively handle data privacy, security risk management and compliance activities in real-time. It makes it easier to onboard a third party vendor, to track activities and to collaborate on a stronger, more effective security program. Contact us today to learn more about how we can help your manage your vendor risk.