How can I evaluate the security practices of potential business partners?

Published on October 9, 2024

Sapientia (Spent) ThomasLinkedIn
  • Healthcare
  • Hospitality
  • Legal
  • Manufacturing
  • Education
Ballston Spa, United States
thumbs upBe the first to like this document

How can I evaluate the security practices of potential business partners?

How can I evaluate the security practices of potential business partners?

Assessing the security practices of your business partners is critical to safe and intelligent decision-making, but how do you do it tactfully, and what’s most important to ask? Even more anxiety-inducing, what do you do if a potential business partner’s security practices aren’t up to par?  There’s no magic pill to making security best practice conversations easier, but here are some tips on making a smooth approach:  

Prioritize vendors with access to sensitive data such as customer information, financials, payment processing, or cloud data services.  

Vendors that provide services requiring access to sensitive data usually have security measures that satisfy their legal or insurance requirements, but it's never safe to assume. Practice completing cyber security risk assessments on every vendor. If a cybersecurity event happens, you may need to provide documentation to your insurance company that your business did “due diligence” when assessing vendors' security risks.  

Ask for Proof of Cyber Insurance

Many companies are happy to hand over proof of cyber insurance to prospective clients to provide peace of mind. Though cyber insurance isn’t a requirement for businesses, it is a sign of a company that takes cybersecurity seriously, has planned, and understands the inherent risks associated with owning a business and providing services. 

Ask About Data Backup and Storage

If the vendor you’re assessing will be storing any of your company’s data, even briefly, ask about storage, backup, and security policies around your data.  Who will have access to the data and for how long?  Will the data be stored onsite at the vendor, offsite, or with a cloud vendor?  What precautions are used – or how will the data be backed up – in the event of hardware failure, natural disaster, or cyber event?  

Ask about Security Breach History

If a vendor has had no previous breaches, that doesn’t necessarily mean their environment is secure, but it is a good sign. If a vendor has a history of data compromise, be sure they’re transparent about what happened, their response, and what procedures or policies were implemented after the incident. 

Red Flag:  If a company states that they’re “too small” or “has no risk” of data breach, that’s a sign that it does not take cybersecurity seriously and has unsafe cybersecurity practices.  Similarly, if a company has had cybersecurity incidents in the past but refuses to disclose what steps they’ve taken to prevent further threats, it’s not a good sign.  Transparency is key to trust.

Create a security assessment form for your vendors to complete. Having a pre-defined list of questions makes the conversation more straightforward.

  • Here’s a small list of typical risk assessment questions:
  • Does [vendor company] have cybersecurity insurance?
  • Does [vendor company] adhere to any industry-standard certifications such as ISO/IEC 27001, SOC 2, or HIPPA?   
  • Does [vendor company] have 2FA / MFA implemented on all email accounts?  
  • Does [vendor company] have a computer & mobile device acceptable use policy? 
  • Does [vendor company] have a clear incident response plan that includes informing vendors and clients of potential data breaches or compromises in the event of a cybersecurity incident? 
  • What type of data encryption is in use for data at rest or in transit? 
  • Does [vendor company] adhere to ZeroTrust Access or Role-Based Access controls? 
  • What type of cybersecurity training, if any, does [vendor company] provide for its employees? 

Lastly, what happens if a vendor fails to provide policy information or isn’t forthcoming with information that speaks to secure cybersecurity practices?  

Consider other vendors.  The time cost of finding reliably secure vendors who take cybersecurity safety measures is far less than the cost of doing business with vendors who don’t – just ask anyone who’s been a victim of cybercrime. Cybersecurity policies, preventive measures, training, and response have become a cornerstone of the business-to-business industry.

If the vendor you’re assessing seems uncomfortable about sharing information to reassure you of your data security, you can assure them that it’s standard policy for your company to ask and that it’s simply part of the vendor-vetting process.  Good vendors will see this request as a no-brainer and are often thankful to work with clients or business partners who are as concerned with cyber-safety as they are.