Given the sharp rise of ransomware in recent years, and how cybercriminals have evolved in the tactics they use to launch cyberattacks, organizations must be able to protect their businesses from cyber threats. The more vendors you have in your extended enterprise, the less easy that is.
In the past year alone, several major breaches have occurred as a result of third-party vendors suffering a cyberattack. One example is the Kaseya VSA cyberattack, where hackers exploited multiple zero-day vulnerabilities to compromise Kaseya and launch the REvil ransomware against many of Kaseya’s customers.
This shows why organizations need to conduct a third-party risk assessment as part of their due diligence process prior to signing a contract with a vendor. If your vendor suffers a cyberattack, a cybersecurity vendor questionnaire completed early on will save your organization time and money in the long-run.
What Are the Benefits of Cybersecurity Vendor Questionnaires?
As part of the due diligence process with your vendor, your security team should have a defined list of cybersecurity questions so both you and the vendor can set clear expectations about security responsibilities.
Moreover, this questionnaire allows your organization to be proactive, rather than reactive, about your own cybersecurity strategy.
What Cybersecurity Questions Should I Ask a Vendor?
Typically, the questionnaire should address data protection and security, regulatory and compliance requirements, prevention strategies, vulnerability management, security awareness training, current security practices, and past data breach history.
Here are eight questions you should have as part of your cybersecurity questionnaire:
Will you be implementing context-based security awareness training for your employees?
The weakest link in any company is its own staff, which is why it’s critical that your vendors conduct regular security training – especially training that’s context-driven. This means that the training should be geared toward the employees’ department or the vendor’s industry to mimic the real cyber threats they’re likely to face.
How will the data be stored, transmitted, and protected?
It’s your responsibility to establish where the vendor plans to store the data (specifically, where are the data servers located), how the data will be transmitted from one location to another (will it be encrypted), and how it will be protected against potential vulnerabilities (as in, what security measures the vendor has in place to safeguard your data from public access).
Does the vendor have a formal incident response plan in case of a cyberattack?
Every organization should operate under the belief that its cyber defenses will eventually fail. Your vendor should have an incident response plan that accounts for breach notification, incident management, remediation efforts, and a plan for how you’ll communicate with your staff and customers.
Does the vendor adhere to the regulatory and compliance frameworks apply to them?
Based on your industry or the service the vendor is providing to you, a vendor might need to comply with multiple frameworks. For example, if the vendor will handle any credit card data for your organization (as would be the case for a retailer), it is your responsibility to assure it complies with PCI standards.
Which security measures does the vendor currently have in place?
Ask the vendor to outline exactly what processes and policies it has in place to defend against cyber threats. Which tools and technologies does the vendor use to monitor its environment for threats? Has it outsourced security operations to another service provider, or does the vendor handle its cybersecurity fully in-house?
How often does the vendor conduct risk management services such as scanning for vulnerabilities or performing penetration tests?
Managing cyber risk is a critical aspect of any cybersecurity program. The vendor must be diligent in performing services such as vulnerability scanning, vulnerability management, and penetration tests to identify any gaps in its systems and to patch them immediately. Ideally, these services should be performed at least annually.
Who will have access to the stored data and which access management policies are set in place to ensure safe access?
Not all employees need access to the same data, so determine whether the vendor uses role-based access management to assure that only employees who need access to your data can access it. In addition, the vendor should have multi-factor authentication (MFA) as an established security practice for an added defensive layer.
Are there any past data breaches or security incidents that have occurred? If so, why and what steps have been taken as a result to mitigate the risks?
This is the time to examine how the vendor responded to the incident, whether it notified the proper authorities and stakeholders immediately, and how long it took for the incident to be resolved. While your team shouldn’t discount a vendor simply because it suffered an incident in the past, you should understand the detailed steps that the vendor has taken since the incident to assure a repeat breach doesn’t happen.
How Do I Choose a Cybersecurity Vendor?
The questions we have provided above are good to use as you assess potential third-party vendors. While many large companies that you may be evaluating as a potential service provider (such as Amazon Web Services) will easily provide detailed documentation on third-party risk, a smaller company may not be as collaborative.
Ultimately, you should choose a vendor that is willing to work with your team and is transparent about their own cybersecurity measures.
Vendor Management Made Easier with ZenGRC
Reciprocity’s ZenGRC all-in-one platform allows businesses to assess risk across various threats and vulnerabilities; detect, monitor, and remediate any risks found with real-time updates; and continuously monitor regulatory compliance of third-party vendors. In addition, ZenGRC allows businesses to conduct a security audit across a wide array of industry frameworks, identify unknown vulnerabilities, and detect suspicious behaviors.