You may have received a letter recently from a local medical provider notifying you of a cyber incident involving stolen data. Although it made the local news, we won’t mention the provider because it seems like this incident appears to have originated with a third-party vendor. 

As a local CSRA business, it should at least give you a pause to see another local business have to expose their own situation to the world. We thought we’d share some quick thoughts on assessing vendors to help minimize risk. 

1. Start with the Data

Before evaluating the vendor, understand what they’re actually touching. 

  • Do they have customer information?  
  • Employee records?  
  • Financial data?  
  • Credit card information?  
  • Intellectual property?  
  • Access to Microsoft 365?  
  • Remote access to our network?  

A landscaping company that sends invoices is a different risk than your payroll processor or managed IT provider. 

2. Ask About Security Practices

A reputable vendor shouldn’t be surprised by these questions. 

Examples: 

  • Do you require Multi-Factor Authentication (MFA)?  
  • Is customer data encrypted?  
  • Do you perform regular security awareness training?  
  • How do you back up customer data?  
  • Who can access our information?  
  • How long do you retain our data after we stop being a customer?  

You don’t necessarily need technical details. You’re looking for evidence that they’ve thought about these issues. Just make standard cybersecurity concerns part of your overall assessment. 

3. Ask About Incident Response

For those vendors who do have access to sensitive information, ask them what their incident response plans are. 

Listen for answers like: 

  • We have an incident response plan.  
  • We’d engage a forensic firm.  
  • We’d notify affected customers promptly.  
  • We have cyber insurance.  

If the response is vague or dismissive, that’s a warning sign. If you don’t get specifics or assurance, you should look for someone else (or ask the potential vendor to find out and give you specifics…maybe someone else in the business knows). 

4. Read Their Privacy Policy and Security Page

Again, for a vendor which has access to sensitive data, you’d like to know what their privacy policy is. 

Look for information about: 

  • Encryption  
  • Data retention  
  • Breach notification  
  • Data sharing  
  • Compliance commitments  

If a vendor can’t clearly explain how they protect customer data, that’s worth noting. 

5. Research Their Reputation

Search for things like: 

  • “[Vendor Name] data breach”  
  • “[Vendor Name] security incident”  
  • “[Vendor Name] ransomware”  

A past breach isn’t necessarily a deal-breaker. What matters is how the company responded. Did they investigate, communicate transparently, and improve their security, or did they try to minimize the issue? 

6. Review Contracts Carefully

Pay attention to clauses covering: 

  • Breach notification timelines  
  • Data ownership  
  • Data deletion when the relationship ends  
  • Liability  
  • Security responsibilities  

These details become important if something goes wrong. 

7. Reassess Periodically

Vendor security isn’t a one-time checklist. Businesses change, so it can be useful to periodically assess your vendor relationships, especially when you note they’ve undergone a recent change. 

Final Thoughts

Cybersecurity is no longer just about protecting the computers inside your office. Every payroll provider, cloud application, accounting firm, marketing platform, and IT vendor that has access to your data becomes part of your security strategy. 

And it’s impossible to completely eliminate all cyber risk. But your goal here is to ask good questions before you trust someone else with information that’s important to your business. 

A few thoughtful conversations today can help prevent a much more difficult conversation tomorrow.