What Vendor Due Diligence Is and Why You Need To Do It
It is almost impossible today to do business without contracting with vendors or third parties. Third-party vendors are any persons or businesses that provide you with a product or service. And when you do business with a third party, you take on any cybersecurity risks that that vendor may have. If a vendor suffers a cybersecurity breach, you can potentially suffer consequences as well. A 2020 report stated that 44% of data breaches were caused by a third party. So it is a cybersecurity best practice to perform due diligence on each and every one of your third parties.
Vendor due diligence is simply performing an investigation or assessment with the goal of vetting the vendor you are contemplating taking on. You approve the vendor only when you are satisfied that the vendor meets, or can make improvements to meet, your requirements and expectations. And after the vendor is onboard you should continue to monitor its security posture.
The Vendor Due Diligence Checklist
A due diligence checklist is an organized approach to performing the investigation. The specific components of the checklist and the detail included with each depend on your organization. But the checklist typically addresses these areas:
- General business information
- Financial review
- Reputation and reports
- Insurance
- Operational policies
- Cyber security
Performing many of these assessments can be very complex and time consuming. Performing the same level of due diligence on every vendor can be a waste of time and resources. A cursory background check may be good enough for someone who delivers stationery to the office, but an IT contractor or financial services provider would warrant a more detailed assessment. So the first step in establishing a due diligence process is to categorize or prioritize vendors by business context and inherent risk. Then you can apply the appropriate amount of resources for each prospective vendor.
Prioritize Vendors by Risk
One way to prioritize vendors is by the amount of risk they pose to your organization. You can ask yourself, “If a security breach takes place, to what extent does that affect me?” You might categorize them as:
- General vendors – those that don’t have access to your network or data
- Confidential/sensitive data vendors – those that can access sensitive or confidential information
- Strategic vendors – those that you cannot do business without.
Analyze Vendor Attack Surface
Examine the vendor’s public-facing digital footprint and look for any cybersecurity gaps in their assets. Assessment should include their IT and network, and the applications they use and how they use them. You should also evaluate the human aspects of their operation including their social posture and the effectiveness of their security team. Solutions like Panorays can perform these assessments in minutes and are non-intrusive to the vendor being assessed.
Automate the Questionnaire Process
The security questionnaire is a key component of the due diligence process. These detailed questionnaires help identify potential threats to the prospect’s assets, financial stability, reputation and cybersecurity. They can be very time consuming both to create and to complete. So you definitely want to customize the questionnaire according to the prospect being evaluated and your business relationship with them. Automated solutions can rapidly generate and scale customized questionnaires, saving time for both you and the prospect vendor.
Subscribe to Our Blog
Continuously Monitor Vendor Risk
The due diligence process should not end once a vendor is onboard. Vendor networks and assets change and the threat landscape evolves continuously over time. You need to have a process for ongoing monitoring of your vendors’ security posture to mitigate any cybersecurity threats that can affect your organization. Beyond that, when you terminate your vendor relationship, a comprehensive off-boarding process is required to remove access and privileges which are no longer appropriate.
Vigilance Helps Protect Your Organization
You have taken all the appropriate steps to protect your organization from a breach in your data or network. By performing due diligence on your vendors you can reduce the potential of a cybersecurity incident originating from them.
Want to learn more about how to perform better vendor due diligence? Download our guide.