Sourcing responsibility to vendors could be your biggest mistake

The vast majority of companies use third-party vendors to help them with discrete elements of their business, and government departments in particular benefit from these partnerships. Instead of having to find and pay extra specialized staff, third-party vendors can supply specific products and services thereby cutting costs and increasing efficiency.

However, there is a downside. Giving your third-party vendors the responsibility to conduct their own security issues without considering how this might affect you can be disastrous. There is every chance that all the companies you do business with are rigorous in their adherence to security practices and protocol, but until you monitor that carefully you cannot be sure. This could leave you, the government and your customers at risk, as an independent study by The Institute of Internal Auditors Research Foundation (IIA) has found that third-party vendors have been at fault and responsible for over 60% of data breaches.

It may seem that you have no responsibility for how a third-party vendor does business, but you cannot just ignore security problems and hope they go away. For the sake of your department and your customers, you must make sure that every connection they have with you and your systems is protected securely to prevent any security vulnerabilities.

You should always be cautious about who you are working with, and that means checking the policies, controls, and processes that they use to make sure that their information and their customers are safe. A cyber attack on them could easily become an attack on your systems as well, but as long as you can manage your security risks by assessing theirs, you can effectively protect yourself.

Here are a few ways you can maintain the safety of your department.

Check Who You Are Working with

Firstly, an inventory of your vendors is essential if you are to clarify exactly who you are working with, including what access they have to what parts of your system. This should include any third-party vendors, not just those used by IT departments as hackers can infiltrate a company from any point. All vendors should be checked, including who they have worked with before and any other parties that they sub-contract themselves. If possible, a policy could be created that outlines the security measures you expect from each vendor and how you will check this.

Clarify Contract Terms

Before you sign a contract, you need to make sure that it is tightened up with regard to security and compliance. You need to list the best practices you will be expecting, along with security training for their employees if necessary. You should also mention any enforcement or monitoring so that you can be sure they are continually protecting their sensitive information and will perform frequent risk assessments to assess any vulnerability. With this in writing, you are then legally protected if the vendor does not comply.

Create a Workflow to Determine Risks

Creating a workflow that shows who is responsible for what roles with respect to a third-party vendor and what parts of the system they have access to, can help you determine your risks and any vulnerability. When you know which parts of your system are vulnerable, you can work towards plugging the gap and protecting yourself.  An important part of this is establishing what your vendor’s security policies and controls are and how they are making sure your data stays safe. They also need to be complying with FISMA and other government regulations, so you need to make sure that they are up to date and of an acceptable standard.


Automated tools can go a long way in helping to manage vendor risk and ensure compliance, and there are many available if you are not able to develop your own. The Shared Assessments Organization and ISACA both have tools that provide the best practices for just this situation so that you can take control of your third-party risk as do software companies specializing in governance, risk, and compliance solutions.

The benefits are easy to see as they can check vendor IT security protocols and establish third-party risk management so that you can manage your processes and policies more accurately. It is possible to risk assess your third-party vendors manually, but as more and more vendors are being utilized by small businesses and government departments, why waste time when automated tools can carry out the work more accurately and faster than by hand?

Security should never be compromised, and that includes both your internal procedures and those carried out by third-party vendors. The buck will always stop with you, so to prevent cybercrime from being the downfall of your department you should make sure you monitor your vendors to ensure that their security measures are good enough to protect both you, your employees, and customers.

This article has been written by Ken Lynch, an enterprise software startup veteran and founder of