Selecting Secure Third-Party Vendors, and Why It Matters

Selecting Secure Third-Party Vendors, and Why It Matters

We often think of security hacking of data as happening directly to an individual customer or directly to a business. As technology advances, however, there is now growing evidence that hackers are gaining access to both consumers and companies via insecure third-party vendors. 

Companies rely on third-party vendors to supply critical functions like payroll, IT infrastructure, and software development. Because they provide these integral components to how a business works, these vendors can also pose physical or cybersecurity risks that could result in data breaches or product corruption.

Today, hackers are targeting third-party vendors to gain footholds into bigger companies' sensitive data. Instead of going after one large company’s data, these bad actors collect large amounts of PII (Personal Identifiable Information) by going after a third-party vendor who works with multiple large organizations. Below are some key practices to properly vet the third-party vendors you choose for your company to ensure mutual security throughout your partnership.

Determine inherent risk

Based on a study from SC Magazine, 44 percent of companies have experienced a data breach involving a vendor over the past year. And this isn’t just smaller businesses that run lighter on security. The companies impacted above include many big businesses, such as Amazon, Stripe, Shopify, T-Mobile, and Target.

When resources are constrained, managers need to prioritize their investments of time and money. As with many other security choices, using a risk-based approach makes sense for allocating resources to reviewing the vendors that could have the largest impact on the company should a security breach occur.

In order to manage risk and ensure third-party vendors have been properly vetted, establishing some form of a tiered assessment system that determines what level of inherent risk a vendor poses is a great first step. Using the below examples, you can determine how much research and vetting you should do on a vendor, before approving them to work with your company.

Tiers of risk

Tier 1

Has access to, or stores company’s restricted data, and/or proprietary source code, and/or is considered a critical customer-facing business continuity concern. This vendor has access to nearly every level of your company data including your customer’s. Because of this level of access, it’s vital to vet this type of third-party vendor extensively and often.

Tier 2

Has access to, stores, or transmits company’s customers personally identifiable information (e.g. first/last name, email address, physical address, etc), and/or has access to, stores, or transmits company non-customer Confidential or Restricted data, and/or provides internet-facing software, application, or hosts your company’s website, and/or is considered a non-customer-facing business continuity concern.

This level of vendor has nearly the same amount of access as a Tier 1 vendor however they are used for internal (as opposed to customer-facing) business continuity needs and have very little access to the customer’s data. Despite this, given the amount of access they still have to your company or employee data, it’s a good idea to vet at the same level as a Tier 1.

Tier 3

Has physical access to a company office location.

For a vendor that has access to your physical location, it’s a good practice to include background check language in your partnership contract in the event of a physical security risk but without access to digital assets, use your best judgment on whether vetting beyond this is necessary.

Tier 4

Does not access, process, store, or transmit any company data, does not have physical access to an office location, and is not considered a business continuity concern.

For third parties classified as Tier 4, there is no security risk, therefore a security review is not necessary.

Creating a risk-based third-party vendor selection and tiering process will help your business really have ownership over its own security as well as the partnership in relation to the risk you are establishing with your chosen third-party vendors.

Do your research

If you’re working with third parties that are classified as Tier 1 or 2, doing a thorough security assessment is the next step in your vetting process. Much like hiring a candidate for a role within your organization, this step requires research, background checks, talking to references, and making sure this vendor is a good fit for your business. Consider including the following in this process: 

• Reputation and financials
• Reliability and SLA to their customers
• Range of products and services
• Internal expertise
• Security controls in place gathered through security questionnaire responses that cover basic security hygiene (this helps you understand overall security posture and residual risk to the company)
• Adherence to regulations, compliance, and certifications
• Adequate security language within the contract

If you identify risks after conducting your review, communicate these risks to the appropriate business owner and vendor to determine the proper remediation. How a vendor responds here is also a tell for a long-term partnership. If the vendor cares about the potential of this business relationship, they will make it a priority to fix the issue so an agreement can be reached. 

Stay vigilant with continuous monitoring

Just because a vendor passes an initial assessment and meets the security requirements upon initial review, does not mean they will continue to do so over time. Inherent risk means there will always be a certain amount of risk to doing business.

As we shared above, when specific risks are identified upon reviewing a vendor, a business should ensure those liabilities are remediated in a timely manner. This isn’t just true at the beginning of a business partnership, but also must be accounted for across the scope of work together. This means holding the vendor accountable by withholding partnership until security is prioritized. 

For your business specifically, this also means continuously monitoring the third party to understand whether the scope of services delivered to your business has changed, following up on open security risk issues, and reviewing updated questionnaire responses and security documentation over time.

Creating trustworthy, long-term relationships

At Twilio, we think of ourselves as a trust company. And because of that, we look at security as a shared journey with our partners and customers. Thinking of security as a joint agreement beyond the actual goods or services exchanged means that while one company can do it alone, the care in securing our data is an ongoing responsibility we both share.