
By: Paul Dusini
We’ve all heard about data breach horror stories like Target’s staggering leak of 40 million customer credit and debit card accounts or Home Depot’s stolen 56 million payment card accounts. Considering the significant damage to a brand’s reputation and financial loss after a security breach of such magnitude, you’d think more companies would take notice and establish a more sophisticated security posture. However, you need to worry about more than just your own system’s security; many of the high profile security breaches that you hear about in the news (Target, Home Depot, Lowe’s – you name it!) have one commonality: they were all attributed to third-party vendors.
What are third-party vendors?
A third-party vendor is any organization outside of your company that provides a product or service and has access to your system. Nowadays, it’s pretty much impossible to find a company that doesn’t utilize third-party vendors. For instance, many companies use electronic billing or payroll services.
Despite the seemingly innocent nature of these strategic partnerships, third-party vendors can make or break your company’s security. Once a vendor has access to your network, they have access to confidential company, customer, and employee information. If your vendor’s network isn’t secure, they put your data at risk, and your company is completely responsible for whatever happens to that data.
In order to avoid data breaches attributed to third-party security, you must perform adequate assessments of your vendors’ security practices. Here’s the problem: many companies that need to perform vendor assessments are unequipped to do so (even companies that must perform assessments for compliancy reasons), and need the help of a security company to make sure everything is running smoothly.
Here are 6 reasons why your company needs third-party vendor management services to ensure the security of your data:
1. Data breaches attributed to third-party security are increasing
This fact should be no surprise, seeing as data breaches attributed to vendors are increasingly high-profile news stories. In fact, according to PwC’s Global State of Information Security Survey, the number of security breaches attributed to vendors has increased from 20% to 28% in recent years. Obviously, companies are lacking when it comes to assessing their vendors, and their brand may be paying the price.
2. Third-party assessments take time
This is why many companies need third-party vendor management as a service – they simply don’t have time to perform adequate assessments! Not to mention the fact that many companies have dozens, if not hundreds, of vendors to assess. Security companies provide a worry-free solution by managing your vendors so you can manage your business. This way, your vendor assessments don’t suffer and business goes on as usual.
3. Vendor assessments require expert staff
This point goes hand in hand with the time aspect. Sure, your company may have a couple of information security professionals, but not enough manpower to sufficiently assess all vendors. Unlike accounting or auditing firms that may offer a service similar to vendor management, we have the security knowledge to not only address your compliance and regulatory needs, we can evaluate security risks and implements methods to reduce that risk. Furthermore, experts at security companies have exceptional knowledge and a unique understanding of security tactics that many professionals don’t have. For instance, a professional from a security company may catch something that an information security specialist at your brand may have missed.
4. Security companies help with remediation
So your vendors have been assessed and some security issues have arisen. Now what? Rather than leaving you in the dust to deal with the problems yourself, security companies help with the remediation process of correcting security errors.
5. Security companies are familiar with both regulatory and security needs
Despite the high-level security threats that vendors pose, only 52% of companies have security standards for third-parties, according to PwC. Security companies can help fix that. As part of third-party vendor management, security companies can help with creating guidelines that address both security and regulatory requirements for both the client and vendor.
6. Third-party vendor management includes monitoring
Your third-parties need to be monitored. Once the initial assessment is complete, security companies continuously check up on your vendors to make sure everything is running smoothly. This will give your company peace of mind knowing that your vendors’ security is under watchful, expert eyes.
Essentially, third-party vendor management alleviates the stress of having to perform lengthy, in-depth evaluations of multiple different vendors. Get with NuHarbor Security to ensure the security of your vendors in the most stress-free way possible.

by Paul Dusini
Information Assurance Manager
Paul Dusini is the Information Assurance Manager for NuHarbor Security. He has more than thirty years of experience helping organizations successfully and safely use information systems to support business goals. He is an experienced CIO and Risk Manager and is certified in security management (CISM) and risk management (CRISC).
Thanks for helping me understand that a third party vendor provides a product or service and has access to your system. My best friend is planning to put a new business, and I think that a third party vendor can help him manage his business. I will share this article with him so that he can have more ideas about hiring a third party vendor.
I had no idea that a vendor management service could hep perform assessments. This seems like a good way to make sure the assessments don’t suffer, like you said. I wonder how often the assessments should be performed for a company’s success.
Paul, I need the exact requirements of NYSDFS for third party vendor management and the deadline March 1. I have a vendor who is monitoring our third party vendors. We have a vendor management policy in place. Is there any special language regarding BAA I need to provide?
Thanks,
Shama
Hi Shama – Hopefully your vendor is helping to provide some guidance if they are helping with monitoring. Here’s a starting point, NYCRR 500 (NYSDFS reg) requires Third Party Vendor Management in section 500.11 (page 7 and page 8) in this doc: https://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf
Hope this helps to provide some idea of the requirements? If not, we’re happy to connect live.
Justin