9 IT Vendor Management Best Practices

9 IT Vendor Management Best Practices
Written by Melissa Stevens
Director of Digital Marketing & Demand

You’ve likely heard your fair share of mortifying headlines around IT vendor management mistakes. Many of the highly publicized breaches in the last several years happened simply because the companies did not follow basic best practices for IT vendor risk management (VRM).

But our goal isn’t to point fingers. We simply want to help you avoid making those same mistakes! The following nine tips and tricks will help you organize your IT vendor management processes—and they may help you avoid being in the spotlight for embarrassing reasons.

1. Know who your vendors are and what they have access to.

Many organizations don’t have a complete list of their vendors. Or, even if they do have such a list, they don’t know what kinds of data their vendors have access to and whether their vendors have direct access into their network. These are major issues. You should be taking the cybersecurity posture of your vendor very seriously to avoid any unwanted consequences.

2. Know how vendors are connected to you.

If you can recall the highly publicized Target breach of 2014, you’ll remember that Target had contracted out to Fazio HVAC to wirelessly monitor their refrigerated units. Target knew Fazio HVAC had a connection, but they didn’t know the extent of the connection—and they certainly didn’t realize someone could get access to their entire corporate network through one HVAC company. It’s perfectly reasonable to provide third parties with access to your network—but you have to be able to limit their access to what they truly need. Frankly, anything else is negligent.

3. Know which vendors have your sensitive data.

This is a combination of knowing who your vendors are and analyzing what constitutes sensitive data. This could be health care records, research and development, credit card numbers, or a number of other “crown jewels.” Make sure you understand where your most sensitive data is going and who could potentially get their hands on it.

4. Clearly spell out all security expectations in your vendor contracts.

Having an incident occur on a vendor network that results in the loss of your data is a frustrating process. But there is nothing worse (or more embarrassing) than digging through your contract with the vendor to figure out what your restitution is, only to realize you didn’t spell out your security expectations. If something like this happens, you’ll likely have no recourse whatsoever. So, it’s very important to protect yourself as best you can through your vendor contract from the get-go.

5. Don’t give free passes to anyone.

A lot of people assume that since they’ve known someone for a long time or because a company seems trustworthy, that they’re doing a good job. This is a huge mistake. Again, this goes back to “trust, but verify”—don’t make any assumptions about cybersecurity, no matter how strong the vendor’s reputation may be.

6. Assess your vendors for their security.

Simply put, you should never trust everything your vendor is telling you. This isn’t to say your vendors are liars, but often, responses can be based on what your vendor's believe to be true. Assessments can help point out mistakes and issues that have been previously undiscovered. On-site testing and other vendor risk management best practices can help you verify that your most sensitive data is being vigilantly protected.

7. Ensure that your vendors know to report an incident to you.

Many organizations will notify you of a security breach whether they’ve been contracted to or not, but some may decide to keep that information to themselves in a last-stop effort to keep their relationship with you. No matter what, you can’t assume that your vendor will come forward unless you’ve made this very clear to them.

8. Let your vendors know this is a priority for you.

If you don’t treat cybersecurity as a priority in your own company and with your vendors, other issues will take greater precedence. The point is, you should assume your vendor doesn’t know that cybersecurity is of the utmost importance until you make it clear to them.

9. Don’t assume a small vendor can’t cause a big problem.

The size of the vendor and the price of the contract aren’t all that important in terms of cybersecurity. The important thing is whether your vendors have access to your sensitive data or corporate network. For instance, if I hire a sales data entry service, but give them full network access, I am creating a huge potential risk.

In Conclusion

You must have a defensible process in place for your vendor management. You should be able to confidently say that you manage third-party risk as best you can and, even though bad things are likely to happen, that you’re doing what you can to cover your bases. If you can do this, you’ll likely find yourself in the headlines for all the right reasons.

DOWNLOAD GUIDE: 40 QUESTIONS YOU SHOULD HAVE IN YOUR VENDOR SECURITY ASSESSMENT