What information you should and shouldn’t give to vendors.
It doesn’t matter what industry you fall within (although some industries like healthcare face strong compliance penalties), your organization has to abide by hundreds, if not thousands, of laws—many of which are related to compliance.
I’m sure you are inundated with pamphlets, infographics and checklists telling you a formula to comply with legislation and how to keep above board.
But one issue that mainly gets unnoticed and under-discussed is understanding whether vendors adhere to the regulations you are expected to follow. Often, many vendors—nearly 73% of them—either say they’re doing things to abide with compliance but aren’t really (who’s looking after all?) or don’t even understand what is entailed in being compliant.
For many organizations, figuring out whether a vendor is compliant is too much work. And even worse, figuring out what information—sensitive information that many vendors request access too—is appropriate given your working relationship can often be awfully tedious.
Today I want to give you some To Do best practices of what you should and shouldn’t do when it comes to protecting your data with vendors.
Your Vendor To Do List:
Evaluate the value of your data to your organization—many organizations don’t put a second thought into granting access to many types of sensitive information. Consider investing a little time into differentiating data that is highly sensitive, moderately sensitive and content you don’t care if shared publicly. Be able to define who should have access to any of your data and whether a vendor should be permitted inside that data.
Create expectations for your vendors describing how they should secure your data—essentially, you will want to put together security policies (probably the same policies your team members abide by) for your vendors. If you are adhering to HIPAA security and data privacy standards, for instance, you should expect your vendors to adhere to the same standards as well. Make those expectations crystal clear and legally airtight, whereby they are a responsible party if something were to happen. Note: for HIPAA, you should have a Business Associate Agreement (BAA) with such vendors that should put your mind at ease.
Create an incident response plan—what happens if sensitive data were breached? What will you do? Having procedures explicitly written to guide you through a vendor breach will make cleaning up the mess a WHOLE lot easier, especially if a vendor-related data breach affects your sensitive data.
What should be in an incident response plan?
The response plan should be referenced in the contract with your vendor. It should outline who in your organization needs to be contacted in the event that a data breach occurs. It should also provide you with a timeline of when communication will happen. If a vendor doesn’t want to commit or doesn’t feel comfortable with assuring a reasonable response plan, they likely aren’t the right vendor for you [Note: if you need help assessing your vendor management, consider a free network security assessment].
Only share minimum information that your vendor requires to complete their work satisfactorily—most vendors ask for more access to your sensitive databases than they actually need. Vendors that are only doing work related to a small area of your organization probably don’t need permissions that allow them to access the entire network. More often than not, they end up asking for admin privileges without needing it. Giving vendors more access than they actually need have led to thousands of preventable data breaches in the past few years alone!
Monitor your vendors in regards to cybersecurity—are your vendors your weakest security link? Nearly 64% of organizations experiencing a data breach reported the breach was in some way, shape, or fashion related to a vendor relationship. Ask your vendors—whatever they do (inside or outside of technology)—to ascribe to occasional checks of their network to ensure they are taking security as seriously as you.
What you shouldn’t do?
Don’t create generic expectations for everyone—telling a vendor that you expect them to keep your data “secure” is probably not good enough. Make sure that you are specific in what you mean. Ideally, you should cite your industry standard around cybersecurity using ISO27001, PCI security standards, or even HIPAA-HITECH. Be clear in how you expect vendors to abide by strict security standards (otherwise, they’ll probably rightly say that they were securing your data and that you simply weren’t clear enough!).
Don’t allow vendors access to your data without doing your due diligence—understanding whether your vendor maintains a clean and healthy network will tell you a lot in regards to whether they’ll keep your data secure. Consider asking them for a network security assessment before trusting that you’re in the right hands.
Don’t allow vendors access to your network using unapproved devices—just like employees, many vendors may take security short cuts. They may access your network from insecure locations (maybe a coffee shop). They also may access your data from insecure devices—perhaps a personal laptop that hasn’t been patched in a couple of months. Either way, you might be risking your sensitive data to breaches if vendors aren’t being careful with your data and how they access it.
One More Thing
I hope you use this list as a starting point for picking out secure vendors… but let me be clear, this is only a starting point towards establishing healthy relationships with vendors that are doing their part to keep data secure. Before signing the dotted line, I hope you do some homework!
Are you sure your vendors are keeping your data secure?
Consider a free network security assessment to learn more!