Ways to Assess Vendor Cybersecurity

Using vendors is essential for many aspects of business to ensure you are harnessing the expertise you need. While you may assess your vendors for the service they are providing, it is equally important to understand and monitor the cyber security measures they have in place. Neglecting to do this can potentially put both your business and your customers at risk.
November 4, 2020 | Retail
By: Aaron S.
Aaron joined Acuity in 2017 as our Retail Specialist—bringing with him almost 30 years of experience in a broad range of retail. He started his career stocking shelves in the seasonal department at a local retailer. A few years later, Aaron transitioned to a gas station/convenience store, where he worked second shift while getting his degree in organizational communications from the University of Wisconsin-Eau Claire. It was during this time he made the move to the loss prevention and safety aspect of retail. Over the next 25 years, he worked in various retail segments, including video games, cosmetics/skincare, hardware/appliances, pharmacy/grocery, and clothing. Aaron held several positions during this time, including District Loss Prevention Manager, Regional Loss Prevention Manager, Regional Compliance Auditor, and National Manager of Loss Prevention and Operations. Outside work, Aaron likes to spend time with his wife (who has also worked in retail for over 20 years) and their twin teenage boys. They enjoy being outdoors on the water, fishing, and camping. As the Retail Specialist, Aaron’s goal is to enhance the partnership between retailers and Acuity by showing retailers that an insurance company can be a supportive resource and that Acuity truly understands their industry.

Using vendors is essential for many aspects of business to ensure you are harnessing the expertise you need. While you may assess your vendors for the service they are providing, it is equally important to understand and monitor the cyber security measures they have in place. Neglecting to do this can potentially put both your business and your customers at risk.

 

There are certain steps to follow when assessing the security of your vendors. First, you want to review your existing vendors and assign a rating to their security. Next, you should follow up on any security risks you uncover in this assessment. Defining vendors’ performance metrics is an important component to assessing their security, so make sure you take the time to determine a system. Finally, it is important to regularly examine your vendors' security performance. Consistency is key.

 

How do you identify high-risk vendors when reviewing your list? Before committing to any contracts or providing any sensitive data, investigate what measures the company has in place to prevent and respond to cyberattacks. Make sure you have a thorough understanding of the links you will have with the potential vendor so you can be cognizant of any vulnerable areas.

 

Gathering the proper information when assessing the cybersecurity of a vendor may seem daunting. Creating a questionnaire is a way to simplify this process. Some questions you may want to include are:

 

  • What security programs are in place?
  • What measures are in place to ensure data is protected when in transit from vendor, client, and/or end user?
  • How are breaches prevented?
  • How is retired media sanitized?
  • What security training is provided to employees and contractors?
  • What processes are in place to regularly check for system weaknesses?

 

Once the necessary information is collected, assign a rating to each vendor. Not only will a rating help you select new vendors, but it will also aid in prioritizing how often to monitor existing vendors. You will have an indicator of where you should put more of a focus in monitoring security.

 

As mentioned, it is important that you have some sort of performance indicators set to easily communicate expectations with vendors. This will also help in the rating process as you will have clear measurements to determine performance. Your organization’s management should collaborate to define and agree upon the performance indicators.

 

In addition to having an assessment process in place, there are also companies that provide solutions for cyber risk management with software, consultation, and other services. This is another option to continuously monitor the cybersecurity health of your business and the vendors you partner with.

 

A complete analysis that includes thorough review for current and potential partners is key to keeping your business safe. Beginning this process might seem overwhelming, but it can seem easier to tackle if you have a designated method. Another step to safeguarding your business is making sure you have insurance coverage for cybercrime, such as that provided in Acuity’s Cyber Suite!

 

Sources: 

https://www.panorays.com/blog/the-5-most-essential-third-party-cyber-risk-assessment-tools/

https://www.venminder.com/blog/top-10-questions-vendor-cybersecurity-questionnaires

https://securityscorecard.com/hub/faq/security-ratings/what-does-a-security-rating-mean

By: Aaron S.
Aaron joined Acuity in 2017 as our Retail Specialist—bringing with him almost 30 years of experience in a broad range of retail. He started his career stocking shelves in the seasonal department at a local retailer. A few years later, Aaron transitioned to a gas station/convenience store, where he worked second shift while getting his degree in organizational communications from the University of Wisconsin-Eau Claire. It was during this time he made the move to the loss prevention and safety aspect of retail. Over the next 25 years, he worked in various retail segments, including video games, cosmetics/skincare, hardware/appliances, pharmacy/grocery, and clothing. Aaron held several positions during this time, including District Loss Prevention Manager, Regional Loss Prevention Manager, Regional Compliance Auditor, and National Manager of Loss Prevention and Operations. Outside work, Aaron likes to spend time with his wife (who has also worked in retail for over 20 years) and their twin teenage boys. They enjoy being outdoors on the water, fishing, and camping. As the Retail Specialist, Aaron’s goal is to enhance the partnership between retailers and Acuity by showing retailers that an insurance company can be a supportive resource and that Acuity truly understands their industry.