To determine whether your vendors are properly prepared, consider the following questions:
- Does the vendor remain updated on changes to regulations and new data protection laws?
- What controls are in place to protect your customers and your sensitive data?
- How does the vendor train their staff on cybersecurity best practices?
- Does the vendor run network and social engineering tests to check how well it can identify common cyberattacks such as phishing emails?
- What effective response plans are in place?
- How would the vendor handle follow up and resolution to data breaches?
Understanding how the vendor would handle an incident may give you a good idea of any risks present and how well the vendor’s procedures and priorities align with those of your organization.
The initial due diligence process is only one part in your time with your vendor, and the risks associated with your vendor will continue to exist throughout your entire relationship. Just as you’ll regularly assess your vendor’s performance, services, and financial health, for example, it’s also imperative to perform ongoing due diligence to check for cybersecurity measures.
Here are several suggested best practices for implementing third-party data protection into your third-party risk management strategies:
- Only share sensitive data with vendors when necessary, and don’ give vendors access to sensitive data when it isn’t required.
- Monitor your vendor to ensure that they’ve continued to perform well. You should regularly assess reports and document any new weaknesses.
- Maintain the expectations of your organization and stay up to date with updated laws and regulations – and ensure that your vendor does as well.