Article written by:
Brooke Hauser, CPA
Information Technology Senior
In a survey of more than 1,000 CISOs, 61% have faced a data breach as a result of a vendor. Target’s breach in 2013 caused 110 million records to be stolen and was a result of their HVAC vendor being hacked. Even though there are events supporting the importance of vendor management, most companies enter into a contract with a vendor and only re-evaluate the contract year-to-year for financial reasons rather than security reasons. Even worse, approximately two-thirds of companies don’t maintain a listing of the third parties they use, and vendor management is not seen as a priority surrounding the security of a firm. However, with third-party data breaches on the rise, it should be at the forefront of management’s mind.
How to protect your company
First and foremost, read and understand your contract. You should know what obligations you and your vendor have that are outlined in your contract. If you are sending data or sensitive information to a third party, find out who owns the data, because if a contract is terminated and the vendor owns the data, they may not provide it to you when requested.
When entering into a contract, a few things to consider are ramifications for poor performance, termination clauses or exit strategies, and ownership and security of your data. Companies are beginning to include the right to audit in contracts as a way to verify that their vendor has the proper, necessary controls in place. However, most companies do not have the time or resources to audit all critical vendors, so obtaining SOC (System & Organization Controls) 1 and 2 reports have become their way of determining if a vendor has controls in place that are properly designed and operating effectively.
SOC examinations are performed by an independent third party, so you have peace of mind knowing the company did not perform a self-assessment, and the report will be free from bias. SOC 2 examinations cover a great deal of areas from control environment, change management, user access and monitoring activities. When receiving a SOC report from a vendor it is important to note if it is a Type 1 or a Type 2 report. A Type 1 report is at a point in time and is only evaluating the control design, not the operating effectiveness. Whereas a Type 2 report is over a period of time, and is testing both the design and operating effectiveness of the Company’s controls described in the report.
Begin incorporating vendor management and due diligence into your company’s business, and make third-party security a priority to your firm.
GBQ IT Services is one team of builders, breakers, operators and auditors with access to a consortium of 50 experienced IT, cyber and assurance professionals delivering IT risk, cyber security and productivity solutions. We build value through IT strategy, protect value with information risk and cyber security services, measure value and improve productivity with data analytics and process automation and assure value through IT audit services.