There are numerous security risks that come from giving third-party vendors access to your network and data. According to the Ponemon Institute, 49% of companies had a data breach caused by a third-party vendor. In fact, hackers themselves admit that contractors are often their primary target. Some of the most devastating breaches in the past few years have been rooted in this fact.
Every business enters into contracts with third parties such as payroll providers, HVAC contractors, and IT companies. Those companies may have a connection to your network, or they may hold sensitive personal information on your employees or customers. If any of those vendors are compromised, hackers could use the third party to gain access to your network. Or if the vendor holds personal information, hackers could steal that data and sell it to others. And those affected by the breach—customers, banks, and the government—will come after you, because it was your data.
Certain compliance standards mandate that vendors and associated business partners have the same security policy measures as you, the core business. But it isn’t just about adhering to mandatory restrictions; this is businesses taking responsibility and putting an emphasis on security. There is little point in your company having extensive protection measures in handling customer data, if once it gets onto your vendor’s system it is open to simple phishing breaches.
The costs of responding to a data breach include notifying customers, providing credit monitoring services, IT fixes, lawsuits and fines. For large companies such as Target, these costs run into the tens of millions of dollars. Even small or medium-sized businesses find that responding to a breach can easily exceed $50,000, not to mention lost business, damage to your reputation, and potential lawsuits or government enforcement actions.
If one of your vendors suffers a data breach that affects your company, your customers, or your employees, who will cover the costs associated with responding to the breach? You may be forced to if your vendor agreement does not spell out who is responsible for these costs. If you consider suing your vendor, without clear contract language, it may be very difficult to win such a lawsuit.
Third party vendor management, like all business, is about relationships. Creating them, building them, maintaining them, and making sure they are mutually beneficial. Security is an inherent feature of a healthy relationship and should be a main focus when working with any vendor. This is accomplished by having a strong and effective process for ongoing vendor management that starts long before the contract is signed. By performing due diligence upfront, you will have a better understanding of your vendor’s security posture and be able to ensure that their controls are at least as strong as yours and meet your security requirements.