Guidelines for Third-Party Security Assessments

In our digitally connected world, organizations have discovered that cybersecurity is more than just an inside job. Even the most sophisticated in-house controls won’t secure sensitive data if an organization’s third-party vendors lack adequate protection.
Hackers are increasingly targeting weak links in a business’s supply chain in order to tunnel their way into systems and networks. In a 2017 survey by Opus and Ponemon Institute,1 56 percent of businesses said they suffered a breach caused by one of their vendors, an increase of seven percent over the prior year. For example, in a recent breach of the ride-sharing giant Uber, hackers had gained access to the company’s worldwide customer information through an outside service employees used to collaborate on software code.2 Verizon3 and Time Warner Cable4 were among other major enterprises to report a third-party breach in 2017.

Third-Party Security Assessments Are the New Norm

In a world of growing cyber risks, vendor security management is a priority for businesses of all sizes. If the nature of your business involves accessing sensitive data stored on your clients’ networks or systems, you can expect those clients to require an assessment of your security practices to ensure they meet their standards. Assessments typically begin with a detailed questionnaire followed by annual security audits.
Third-party security questionnaires can be long and complex, asking anywhere from 20 to 200 questions on topics ranging from your security policies and procedures to the details of your technical controls. They can also be challenging: businesses report that they often need an expert to understand the questions being asked – and those that have multiple clients can face the onerous task of completing multiple surveys, no two of which are the same. This can put the burden of time and expertise on businesses with limited security resources.

Security Is an SBM Opportunity

But security is a not one-size-fits-all proposition, and the controls that are expected of a Fortune 500 company may be overkill for a small or midsized organization. Your best approach is to have in place a risk management plan before you’re required to complete a questionnaire along with a rationale for what you do and don’t do. These can be selling points with clients that make security a priority, and also serve as a strong foundation to build upon should those clients require additional controls. Don’t think about this as an onerous requirement. Use it as an opportunity to differentiate your company and built confidence with your clients.
These steps taken proactively will help your security cause:
  1. Complete a risk assessment to identify your business’s top security needs. Identify the specific customer data or other network assets you access and the risks associated with it.
  2. Segment those systems that contain sensitive customer information from the rest of your network. This will enable you to focus your security efforts specifically on those areas of client concern.
  3. Invest in basic measures to address the risks you have identified. Choose the most effective controls with the greatest impact on your high risk exposures over costly or untested solutions promoted by security vendors.
  4. Be sure to implement them correctly.
  5. If you receive a significant number of security questionnaires, consider hiring a security professional, whether an employee or an outside consultant. This individual can assist you in understanding the questions posed, guide your responses, focus your remediation efforts, and help manage your customer relationships in regard to security. This can be especially for clients in highly regulated industries, such as health care or financial services.

Respond to Questionnaires in a Strategic Manner

When completing a questionnaire, know in advance that your client probably doesn’t expect you to have controls in place for every question asked. No one expects perfection, and some large companies ask for controls they themselves don’t have. The most important thing is to understand what your most important assets are, and if your protection in a certain area is weak, let your client know. Then clearly communicate your plans for addressing any gaps in your security plan. Most clients will appreciate an honest and transparent identification of potential security gaps, as long as you can provide a reasonable plan to address those gaps.
These additional guidelines will also aid your cause:
  • Invest most of your most time answering questions that relate to the services you provide and are of the greatest concern to your client.
  • Have the right person complete the questionnaire. Your security consultant or employee who manages your security efforts will be able to provide more knowledgeable responses than a sales person.
  • Don’t lose sight of the requirements you are contractually obligated to fulfill in your service level agreement (SLA). Be sure your risk management plan aligns with your SLA, and if not, take immediate action to avoid jeopardizing your client-vendor relationship.

Consider Cyber Insurance

In a landscape of ever new and evolving cyber threats, cyber insurance is essential. In fact, larger organizations know there’s no such thing as perfect security and may require you to purchase cyber insurance as a valuable component of managing your security risk – and protecting their sensitive business data. Talk to your insurance agent about a policy that meets the needs and risks of your business.