There’s an abundance of software and products available to, in theory, create efficient business operations. It could be an email program for communications, an HVAC system or even a new vending machine to keep workers from being hangry. Regardless, each requires a sales process to buy. During those sales conversations it’s easy to have rose-colored glasses on and be distracted by the new and shiny. But did you know that more than 60% of breaches can be related to a third party?
Due to the risk of vendors pose, we wanted to share three quick tips for before you sign that contract –
1 – Be selfish.
This is the perfect time to be selfish and to take the process at your own pace. Take a moment to critically understand your internal security posture and risks, and then potential risk related to the new tool. Are there any known gaps or issues that haven’t been resolved and could cause future issues? Would the third-party have access to unnecessary information?
Understanding this information in context with a specific tool will help you navigate the sales conversations. The sales rep doesn’t know your system and the intricate problems the tool solves (or creates). There’s no reason to put the company at unnecessary risk for a breach for a new tool.
2 – The third-party vortex.
Does the third-party have its own third-parties? Is each party fully secured? And furthermore, what specific security tools and policies are implemented? Keep track of third-parties with an inventory list. Prioritize ones with access to confidential information and track which are sharing their data with one or more contractors.
Breaches are created around stealing confidential information, this system gives you a way to help track that information, and more importantly who has access to it. Buying a new tool is the perfect time to start a list.
3 – Automate your third-party risk assessment.
Ironically, help assess third-party tools with a third-party tool. Security Scorecard’s Vendor Risk Management allows for every third-party tool to be evaluated against the same set of standards. Traditionally, tools are evaluated via self-reported questionnaires, onsite assessments or pen tests. While some type of evaluation is good, these traditional methods leave opportunities for unrealistic reports.
The gist is to not get distracted by the new and shiny and jump into buying a new tool or product before evaluating from a security perspective. Security risks can quickly outweigh the sales pitch and business operation benefits, so just be diligent during the process. If you have any questions, feel free to reach out!