Welcoming a new team member is a bit like welcoming a new child into the family—it’s exciting, full of potential, but requires some careful guidance and a whole lot of patience. We all secretly hope for that perfect prodigy who can navigate the systems and processes of the workplace from day one. But as any good parent knows, that’s just a fantasy.
Every new addition needs a little guidance to get comfortable in their new home. We teach them the ropes and make sure they understand the “dos” and “don’ts” of the office. But what if we don’t train them, as we hired the best? Well, that’s how things get into a delusional quandary. Without training, re-training, and cross-training, there is no way that one stays relevant, specifically in understanding third-party risks. Getting a robust third-party vendor risk management and good hires are a start to the initiation of a strong playbook that will steer the workflow.
We’ve all heard the enticing pitch from the “ready-to-work” vendor. Their smooth sales talk boasts impressive security certifications and seamless integration, promising a system so intuitive it runs itself. We want to believe this is the rare unicorn that fits into our ecosystem without any training. However, just like a new employee who claims to excel at spreadsheets but falters on basics, these vendors can be misleading. Their alluring promises often mask the essential need for a structured and secure onboarding process.
The statistics paint a sobering picture, challenging the myth of the “ready-to-work” vendor. About 60% of data breaches happen because of third-party vendors. This isn’t a minor hiccup; it’s a massive, blinking red light on the dashboard. What’s even more concerning is that only 34% of companies keep a close watch on their vendors’ security after the initial onboarding. It’s as if we’re inviting guests to our home and then leaving the front door wide open while we go out for a coffee.
You wouldn’t throw a child into the deep end of the pool without some basic swimming lessons, and the same principle applies to vendors. They need a well-structured introduction to your security procedures, a guided tour of your digital landscape, and a clear understanding of the risks involved. Think of it as a “Learn to Swim” program for your vendors, designed to make sure they don’t accidentally create a tidal wave in your data center.
This program consists of three phases, similar to a beginner swimmer’s journey.
1. Initial Security Orientation (Days 1-30): This phase acts as the shallow end of the pool, where you outline data management policies and security expectations. Vendors must detail their security measures while being given limited access. This approach allows for a safe transition, with one healthcare provider reducing vendor-related incidents by 58% through mandatory interactive security training.
2. Supervised Practice Period (Months 2-6): In the middle of the pool, vendors can begin working under supervision. They might need approval to edit documents, akin to using training wheels. This period is ideal for unannounced security drills and implementing two-factor authentication.
3. Full Access (After 6 Months): After completing training and demonstrating commitment to security protocols, vendors can receive full access. However, this ongoing relationship requires regular confirmation of security measures and a transparent record of vendor activities to ensure accountability and preparedness.
Just like you’d look for certain red flags when dating, you should also be on the lookout for warning signs when engaging with vendors. Not all vendors are created equal, and some might be more of a liability than an asset. Here are five red flags to help your team spot risky vendors before they become a problem.
The Compliance Dodger: Demand clear security protocols and a detailed timeline for how they would respond to a breach. A vendor who is serious about security will have a plan and will be happy to share it with you.
The Shadow IT Enabler: Train employees to beware of vendors who encourage using personal accounts for business tasks. This creates “shadow IT,” a murky, unofficial layer of technology that operates outside of your organization’s control.
The Sub-contractor Hider: Some vendors hire outside help to get a job done, but aren’t transparent about it. This can be a major problem, as you may be entrusting your data to a third party you haven’t vetted. Always ask for clarity about their partnerships and who will have access to your data.
The Update Laggard: Vendors who use outdated software or fail to update their systems regularly are a ticking time bomb. This may need some hard training, but get it done so that teams always inquire about their patch management process and how regularly they update their systems.
The False Urgency Pusher: If a vendor says, “We need admin access right now!” without a clear and justifiable reason, it should raise alarms. They might be pushing for a quick, unfiltered connection to your systems, bypassing your careful security procedures. Your team should know this in their sleep.
Even the best security programs may face challenges. What separates a minor issue from a major crisis is how prepared you are to respond. The first 60 minutes after a breach is a critical window of opportunity. This is not the time for finger-pointing or panic. Your team needs to act fast with a clear plan that includes immediate containment of affected systems, a clear communication strategy for notifying internal and external stakeholders, a rapid assessment to understand the scope of the breach, and meticulous documentation of every action taken. A well-defined breach response plan is like a digital fire extinguisher—you hope you never have to use it, but you’ll be eternally grateful if you have one if a fire breaks out. But it should work, so conduct mock drills regularly to see if it is reliable.
