InfoSec Challenges and Best Practices When Reviewing Small Critical Vendors

In today’s risk environment, any organization, regardless of size and industry, can become the target of a cyberattack. This means it’s vital to ensure that your critical vendors can protect your data from potential incidents. Without your critical vendors, your organization may be unable to perform the most basic functions as they contribute to operational efficiencies.

However, your organization may face serious financial, legal, and reputational damages if their cybersecurity risks go unchecked. Sometimes, your critical vendor may be a smaller organization. And, when dealing with critical vendors that are small or have immature information security (InfoSec) programs, you’ll face a unique set of challenges. Malicious actors target small vendors because of their limited resources and security policies, making it more important than ever to effectively assess your smaller vendors for potential threats. 

6 Best Practices for Reviewing Immature InfoSec Programs

Reviewing critical vendors that are small or have immature InfoSec programs can be challenging, as the vendor may not have established controls or detailed plans in the same way that a larger organization might. 

Here are several best practices for reviewing a vendor with an immature InfoSec program:

1. Communicate your expectations and standards. It’s important that your vendor can meet your security standards, or you’ll be putting your organization at risk of suffering a third-party data breach or other attack. You need to know what your vendor’s security posture is, what controls they have in place, and whether it’s sufficient. Likewise, ensure that your vendor knows what you expect of their security measures. Additionally, you need to review and ensure that the vendor complies with industry and federal cybersecurity regulations. This is best done in the contract phase, but it’s never too late to put your expectations in writing.
2. Ensure the vendor has effective incident response and disaster recovery plans in place. While the vendor may lack some controls or sophisticated security software, you should assess the vendor’s incident response and disaster recovery plans. Without these, the vendor may not react quickly or effectively enough following an incident, which could seriously harm your organization as well. 
3. Include provisions in your contract and service level agreements such as breach notifications and zero trust models. Especially with the heightened risks associated with smaller and immature vendors, it’s important to set contractual requirements for your vendor to meet. 
4. Assess any reports, testing, and documentation the vendor can provide. The more information there is to assess, the better picture you’ll have of your vendor’s risk posture. Because of their size or maturity level, the vendor may not have the same documents readily available as a more established organization. Work with your vendor to find alternatives to reports and assess any documents they can provide. In some cases, it may be beneficial to perform an on-site visit. 
5. Perform ongoing monitoring activities. Risks continue to change, evolve, and emerge, so you should assess your vendor’s security measures throughout the course of your relationship. Ensure that information is updated and current, so you can identify and address risks as they appear. 
6. Explain the importance of cybersecurity and why it’s a top priority. In smaller organizations, the employees and members of senior management may be handling several different responsibilities at once. You should stress why cybersecurity is so important as well as how it can benefit both their business and your relationship. Explain to your vendor why security is important and why it should become a priority for them as well. 

When reviewing critical vendors that are small or that have immature InfoSec programs, you should be sure to communicate your expectations, work with the vendor, and receive enough information to form a full picture of your vendor’s risk posture. As hackers continue to target small vendors, it’s essential to ensure that your vendors can effectively secure your data and notify you if an incident ever occurs.