Cybersecurity: Third-Party Vendor Security – Lane Report

Whether managing the company payroll, facilitating health and wellness benefits, providing order fulfillment, or managing a call center, companies rely on outside vendors to operate. Sensitive information flows seamlessly through supply chains, making it fair game along the way. Third-party vendor data breaches and cyberattacks are increasing, as is the risk to organizations when their sensitive information becomes compromised.  

The Annual Third-Party Risk Management Study conducted by Prevalent found that 61% of companies experienced a third-party data breach or cybersecurity event in 2023. According to a report by KPMG, 73% of organizations experienced at least one significant disruption caused by a third party within the past three years. According to Venminder, the most significant impacts of a third-party cybersecurity incident were financial damage, reputational damage, and regulatory scrutiny. 

Third-party vendors have an obligation to keep your information protected. However, gaps in their security protocols can have a devastating effect on your business. To reduce risk, do your homework, ask targeted questions and choose to work with reliable and trustworthy vendors. 

Critical questions to ask a third-party vendor 

Do you conduct regular security audits and vulnerability assessments? A vulnerability management program should be in place to identify, classify, remediate/mitigate and continuously monitor for security vulnerabilities. Without it, your company could be left with weaknesses that internal or external bad actors could exploit. Ask for a copy of a recent cybersecurity risk assessment or audit report. That helps verify that the vendor is truly following best practices for protecting your data. 

How do you handle security patches and updates for your systems? Regular security patches and updates are crucial to protecting your business. They are the frontline defense against exploits targeting software, operating systems and hardware vulnerabilities. 

How do you protect sensitive data at rest and in transit? All data should be protected with strong encryption algorithms to prevent unauthorized access. 

Who will have access to our data? Controls should be put in place to restrict access to sensitive information. Only those individuals who need to know and use the specified information should be permitted access, following the principles of “least privileged access.” 

Do you enforce multi-factor authentication (MFA) for system access? This multi-step process significantly reduces the risk of successful cyberattacks. Implementing MFA helps protect sensitive business data, prevent unauthorized access and enhance overall cybersecurity. 

How do you monitor and log access to sensitive systems? Monitoring and logging access to sensitive systems helps detect unauthorized activity, prevents data breaches and ensures accountability. Detailed logs provide a trail of who accessed what data and when. Cyberthreats or insider attacks could go unnoticed without proper monitoring. 

Do you have an incident response plan? An incident response plan instructs a business on how it will respond to a cyber incident when it occurs. A specific plan that includes periodic walkthroughs allows personnel to understand their responsibilities so they can respond quickly and minimize damage.   

How do you backup data, and how quickly can you restore it after an incident? A comprehensive backup strategy that is tested frequently is a must to ensure your data can be recovered if needed. A disaster recovery (DR) plan provides step-by-step instructions on restoring services, applications, software and other systems so your company can resume operations quickly. The DR plan should be tested annually to assess the company’s response time and ability to restore data. 

Managing your vendors 

Once you’ve vetted and chosen your vendors, you’ll need to manage them and the potential risks they pose.  

Keep a list of all your vendors and rank them by risk. Who has the most access to your sensitive information? Who provides a critical function that, if disabled, can bring your business to a standstill? 

Regularly check in with vendors and monitor their security practices. If you see something you don’t like, address it right away. Create a vendor due-diligence checklist to monitor cybersecurity more effectively.  

Know what you’ll do should the worst happen. Create a plan to respond quickly to any security incident or breach with a vendor. 

Safeguard your organization by implementing a zero-trust approach, which limits access to your network and better protects it from an attack. 

You may also find it helpful for your IT team to collaborate with the vendor’s IT team to ensure the safety of your information. 

As businesses continue to outsource critical functions to third-party sources, the risk that their data will be exposed to cybercriminals only increases.  That makes implementing solid security practices and staying vigilant more critical than ever. 

Jeff Chandler is CEO of Z-JAK Technologies and author of “Hacked! What You Must Know Now to Protect Your Business Financials, Customer Data, and Reputation from Cybercriminals.”