Vendor Due Diligence: 101

When many IT pros think about cybersecurity, they tend to focus on potential risks within their organization’s systems, software, and staff. But even if your business has excellent cybersecurity hygiene, that may not be enough to prevent a costly data breach or other forms of cyberattack. 

Everyone with access to your systems, location, or data also represents a potential security risk. To put a finer point on it, if a third-party vendor is careless with their own security, then everything they have access to is also at risk. 

If you don’t already do vendor due diligence, or if you’re looking for a few pointers to improve your process, give this a read.

What Is Vendor Due Diligence?

Vendor Due Diligence (VDD) — also known as supplier due diligence and third-party due diligence — means assessing the risk a potential vendor brings to your business. 

Not all vendors you work with will have access to your systems, your physical location, or your sensitive data, so vendor due diligence will vary according to what your vendor is providing for your company. 

Why Is Supplier Due Diligence so Important? 

To put it bluntly, 98% of organizations use a vendor that had a data breach in the past 2 years. If that vendor also has access to your sensitive data — like personally identifiable information, customer financial information, and the like — their data breach could also become yours.  

After a breach, cybercriminals can use your sensitive data to launch additional attacks, including ransomware. Depending on your industry and where you’re located, you could also be faced with fines and legal consequences for lax vendor management. 

But even if the worst thing that happens to you is some customer data is exposed, that’s bad enough. Regardless of whose “fault” it is, you have a responsibility to your stakeholders and customers to protect their data. When you fail to do so, you risk permanent damage to your reputation. Studies show that one in four Americans won’t do additional business with companies that have been hacked. 

More Third-Party Due Diligence Statistics You Should Know 

This isn’t a pleasant read, but if you want to prove to your boss why vendor due diligence is important, these numbers should help.

• Roughly 60% of all data breaches happen through third-party vendors
• According to the Ponemon Institute’s “Crisis in Third-party Remote Access Security” report, more than 50% of organizations surveyed experienced a data breach caused by third parties
• According to that same report, 61% of organizations had failed to assess levels of third-party access risks.

Evaluating Risk for Third-Party Suppliers — What Questions Should You Ask? 

If any vendors that you work with are absolutely critical to your daily operations, you’ll need to make sure they will be in business for the long haul. That means you should know if they’re financially stable, have robust disaster recovery plans, and the like. Those who have access to your building but not your online tools or data, however, will have a different set of questions than those that have access to your data but not your physical location. 

If you’d like a good jumping-off point, the Vendor Security Alliance compiles two free questionnaires, which are updated every year. You can request yours here. 

At Marco, for vendors that have access to any of our systems or sensitive information, we ask a wide variety of questions to assess security practices, from control framework alignment and password policies, to background checks and financial stability.

Here are just a few examples: 

1. Has your organization adopted a formal approach to information security based on a publicly available information security standard? (example: ISO27002, NIST 800 Series, etc)
2. Does your organization require Multi-factor authentication (MFA) for all user access?
3. Do you have proof of insurance, including General Liability Insurance with Cybersecurity coverage, Employer’s Liability Insurance, Workers’ Compensation, Professional Errors and Omissions, and Crime Insurance?
4. Are you able to provide a financial statement that includes two years' worth of comparative financial data and has been audited by a CPA?

What Should You Do With the Answers?

You should act accordingly. Know what makes a vendor a no-go for your company, or a particular role within your company, and stick to it. For vendors not meeting your standards, another option is to work with them and require remediation for important security practices with current gaps. Establish deadlines with the vendor, and put mitigating controls in place where necessary to limit the risk to your company.

For us, a vendor that needs access to sensitive information to perform their role but doesn’t have cybersecurity basics in place is an automatic no-go. To get more specific, a lack of Multi-Factor Authentication is a giant red flag. So are lax password policies, poor patch management, and poor or infrequent penetration testing. 

It's not always easy to tell when someone is simply checking the boxes but isn’t practicing good cybersecurity. Asking for audit reports, such as a SOC report, provides more assurance that the company is consistently following security best practices.

How Often Should You Conduct Vendor Due Diligence? 

Due diligence isn’t just something that happens once when vetting someone new. Financial circumstances and policies evolve, and so does cybersecurity. 

We will typically ask our vendors to answer due diligence questionnaires every year to identify changes to security processes. However, if a new vulnerability pops up, we may reach out to them to make sure it doesn’t pose a risk to them, our business, or our clients’ businesses.

Isn’t There An Easier Way to Do This? 

Of course! Marco is fortunate in that we have a US-based team of 650 certified systems engineers and technical representatives. We have the time and resources to stay on top of a rapidly-evolving cybersecurity landscape and maintain proper due diligence with our vendors. That’s simply not the case for many internal IT teams.  

Vendor due diligence, unfortunately, isn’t one size fits all. So if assessing individual vendor risk is more than your team can handle, we get it! Our experts are happy to help you assess your vulnerabilities and reduce your risk.