According to the 2022 Verizon Data Breach Investigations Report, 62% of network breaches occurred through an organization’s partner. Statistics like this challenge the notion that having security vendors and sharing data is a secure way to achieve organic growth.
Organizations today are also facing the new reality of a hybrid work environment with decentralized offices, flexible remote work practices, greater health precautions in the workplace, and dynamic security threats. As you navigate the altering landscape of work during a pandemic, it becomes increasingly important to minimize costs, respond to new conditions, and plan to future-proof your organization.
Finding the right security vendor to protect your organization’s data while meeting your budget can prove challenging, given the sheer number of vendors and solutions available. A good starting point would be a checklist to evaluate vendors and ascertain if they are the right fit for your organization.
We have outlined how to select a security vendor based on the factors listed below:
1. Data Sharing Process
2. Background
3. Certifications and Credentials
4. Security posture
5. Customer References
6. Pen Testing Report
7. Policies and Procedures
8. Post engagement support
1. Data Sharing Process
To conduct a successful vendor selection process, you must begin by analyzing the protocol of the working relationship you plan to create with the vendor. You need to understand the information / data that will be shared between your organization and the vendor. Organizations often tend to narrow down a list of possible security providers to the top 3-5 and pass it along without going into these crucial details – a recipe for failure.
Review the following questions vis-à-vis the internal processes in your organization.
- How much access will they have? This might be in a tiered internal system, with level one access becoming the least critical and level four access being the most critical.
- Which systems will they be able to access?
- What information will be shared between the organization and the security vendor? Will Personally Identifiable Information (PII), health care data, intellectual property, or similar sensitive files be disclosed?
Different organizations have varying levels of risk. For some organizations this necessitates an on-site assessment, including pen testing, while for others, it can be conducted from the desk. Knowing ahead of time how much access the security vendor will have and what type of data will be shared is critical. With this information in mind, you should have an idea of how thoroughly your security vendor should handle your organization’s data.
2. Background
Assess critical aspects of a vendor’s credentials and background. Review the following questions vis-à-vis the portfolios of the vendors you are considering.
a. Are they trustworthy?
While only some security vendors are ready to share information about their clients, they should be able to issue letters of recommendation. A simple phone call or email to a previous or present client can clear up any confusion about a vendor’s credentials, abilities, and capacity. Additional research, including online reviews, discussion board comments, etc., can also go a long way toward finding the right fit for your business.
b. Do they understand your industry?
Although many security components are universal, several organizations have specific technical requirements and rules. Ensure that your security vendors are familiar with your organization’s software, technology, and any industry-specific legal requirements. It is preferable to have a vendor who has worked in a similar setup.
c. Is the company stable and financially sound and has insurance?
According to a recent poll, 25% of SMBs declared bankruptcy after a data breach, and 10% went out of business. In worst-case scenarios, the vendor’s insurance could potentially cover your business loss for negligence and errors during the engagement.
d. What is their contingency plan if something goes wrong?
Since breaches have become the third certainty in life, after death and taxes, it’s critical to choose a security vendor with a reputation for adequately preparing their clients for the terrifying reality of a breach and a track record of getting them through it.
3. Certifications and Credentials
Certifications confirm that a vendor has good security hygiene. Many security vendors claim to be experts while having very few industry-standard credentials or qualifications. Before working with a vendor, look for certifications such as CompTIA, GSEC, CISSP, or CCSP. You also need to ensure that everybody who has access to your network and data has been thoroughly trained and verified.
ISO 27001, or its American counterpart, NIST, is one of the most widely used standards for describing information security management. These standards make it mandatory for all procedures to be documented and adhere to data security protocols. They govern both the technical infrastructure requirements and the manner in which a business operates. Adhering to these standards ensures that your client data is secure, communication is private, and your employees have been adequately vetted and trained.
The PCI DSS is a payment card industry standard. It is one of the highest security certifications a supplier may acquire for payment information data protection. Other security certificates are more industry-specific, although they also indicate a high level of maturity in the security program. HIPAA compliance is necessary in the United States if you deal with Protected Health Information (PHI). GDPR mandates the data privacy rules that are essential in Europe.
In addition, a recent SOC 2 examination report of a vendor validates their technology, processes, and people by a third-party auditing firm.
4. Security Posture
Revisiting the 2022 Verizon Data Breach Investigations Report – it was found that 62% of network breaches occurred through an organization’s partner. Before onboarding a security vendor, you must thoroughly examine their security posture to avoid being part of this statistic. For most organizations, this is an expensive and time-consuming process. However, you can define acceptable risk levels and create language to verify that your entire third-party network satisfies the security standards and protocols that your organization adheres to.
Establish a culture of cross-collaboration across departments. Everyone from the CEO, CIO, and CFO to the head of the legal department should be involved in assessing your organization’s risk appetite – what is acceptable and what is not. Then, define risk parameters, for example, the imposition of additional contractual controls depending on a specific vendor’s rating. Lower-rated items may require more extensive controls to satisfy your acceptable risk threshold.
5. Customer References
Require each security vendor to provide a list of three references. Then, make sure to call or email those references and respectfully ask questions , including but not limited to the following:
- Were their personnel knowledgeable?
- How would you rank their product or service quality?
- Did you get the level of service you were promised?
- What steps did they take if something went wrong?
- Did you have to revisit any shortcomings in the security protocols?
- Would you recommend the vendor to other businesses? Why or why not?
6. Pen Testing Report
Many security certifications necessitate a penetration test to uncover potential flaws. Security-conscious businesses frequently run them internally to prevent leaks and breaches. A formal report on the test results will contain sensitive information they would be reluctant to reveal. However, you might discuss test results during chats and negotiations with a potential security partner. It would help to inquire about the last time the security vendor conducted a test, who conducted it, and what suggestions were provided. You may not be given complete details, but the fact that the test was taken illustrates the company’s commitment to security standards. It is permissible to enquire whether the vulnerabilities have been addressed and additional safeguards have been taken.
7. Policies And Procedures
If an organization values security, it will implement policies and procedures to meet that critical objective. A solid information security policy should address software and hardware usage and maintenance, Internet usage, email communications, access controls such as password management, and customer data processing. Organizations must inquire about the security vendors’ policies, procedures, and implementation.
Hiring And Training Procedures :
People are the weakest link in any security system, no matter how sophisticated the cyberattack is. According to a Tessian Report, 43% of US and UK employees made mistakes that weakened the level of cybersecurity.
Inquire about how the security vendor hires and trains new staff. What are the credentials and certifications of their personnel? Do they conduct background checks? How frequently do people undergo retraining? Do employees have to sign NDAs? Were there any previous data leaks? All of these inquiries are appropriate before entrusting someone with your assignment.
8. Post Engagement Support
Hackers are opportunistic; ransomware, malware, and phishing efforts have increased during the Covid-19 pandemic, and they can strike anytime. IT and security vendors should ideally have resources available to respond to a cyber incident 24 hours a day, seven days a week, and develop a communication channel with you.
The only way to defend everything you’ve worked so hard to create is to be cautious about security lapses. There are several factors to consider while choosing the ideal business partner. We encourage you to use this checklist to evaluate the list of vendors you shortlist and make a sound business decision.
databrackets as your security vendor
With over a decade of industry experience and technical excellence, a dedicated team at databrackets can protect your organization from threats and adapt to each industry’s unique requirements, including law firms, healthcare, financial services, law enforcement agencies, SaaS providers, Managed Service Providers, and other commercial organizations. Contact us to know more about how our services will help your company. We would be happy to connect with you.