Questions to ask vendors before hiring
Before you start hiring vendors for your company, you need to make sure they aren't a risk to your organization from a cybersecurity standpoint.
This goes for cloud partners who may be handling data directly, but AS Mag points out there are also risks from more mundane vendors. If you have smart systems or buildings, you need to look at who is operating IoT-connected devices that could back-door into your network, such as HVAC controls or building management software.
If your sensitive data is accessed by or through a vendor, your organization is still responsible. That's why it is so important to conduct vendor risk assessments at multiple stages of any partnership, including:
- At the research stage, you should do background checks to see if the vendor or any of their other clients have ever been involved in a breach
- At the RFP stage you should ask all of the questions you possibly can about their own cybersecurity processes
- At regular intervals during an ongoing vendor relationship, you should circle back to make sure they are still compliant with your cybersecurity standards
- At contract renewal, you should check in again to see if they are scaling or changing their approach in any way that could affect their cybersecurity
- At termination of a contract, you should do a complete review of your organization at any and all touch points to ensure access is removed, usernames canceled, and passwords changed
If you make vendor risk assessments part of your routine and set up alerts that will always be triggered by the above vendor-related events, you can maintain your security wherever and whenever vendors intersect with your organization.
Questions to help assess and mitigate vendor risk
There are five categories to explore when discussing risk with a potential vendor:
- Who is responsible for your cybersecurity?
- Do you have a chief information security officer (CISO)?
- Have you implemented policies and procedures to ensure your organization's physical and cybersecurity?
- Do you have annual security risk assessments conducted by a third party, and can you provide these reports?
- Do you test physical security of the organization at minimum on an annual basis?
- How does your organization manage internal security?
- What type of technology architecture do you have, and how is it secured?
- Are your web applications regularly tested?
- How do you secure data storage and backups, and email encryption?
- What are your password and username guidelines?
Employees and third parties
- How do you manage remote access to your own network?
- How do you manage employees and third parties in regard to security?
- Do you allow or encourage BYOD? If so, how do you secure such devices?
- Do you train employees in regard to security awareness?
- Have you audited your social engineering vulnerabilities?
- Which of your employees will be interacting with our networks?
- What security policies do you use with with your own vendors?
- What specifically do you do to safeguard accounting, payroll processing, and software?
- Have you ever had a security breach?
- How do you handle the risk of an incident?
- Do you have an incident response plan?
- Is there a contingency plan in place to notify you of a breach if one occurs?
- How will you interact with and safeguard our data specifically?
- Do you carry cyber insurance, or business or malpractice insurance?
- Are measures in place for endpoint security, and if so, are they current?
- Will security monitoring be in place from your end?
- Do you have certificates of compliance?
Elevate Consult lists a variety of security certifications that can help vendors be aware of and meet standards for cybersecurity, including ISO27001, SOC2/ SSAE 18, or FedRAMP.
Remember, your vendors' security — as well as yours — needs to both be strong, so start cyberprotection with an assessment of your own on-premise and cloud protections, and bolster them where needed. Perle can help. Read our customer success stories to learn more.