Many small- to medium-sized businesses rely on third-party vendors for some of the critical-path IT functions of a business. When they do this, the responsibility for maintaining IT security is transferred to the vendor. This may increase the risk of potential damage caused by security breaches.
There have been many examples of serious security breaches at vendors that have done major harm to their clients. This is why conducting detailed due diligence is necessary to identify the security risks of using a third party vendor’s services or software tools.
Comprehensive due diligence for security risk analysis focuses on the following areas and specifics:
- Historical record of problems and how the vendor dealt with security issues.
- Upgrade policy and rapid response with security patches for vulnerabilities.
- Use of encryption to protect sensitive data.
- Vendor’s ability to view, share, or sell data to other parties. Any transfer of data to other parties adds additional security risk.
- Does the vendor have a dedicated security team?
- Do they conduct regular security audits and are those reports available to clients?
- Specific security protocols must be in place if there is a legal requirement for data protection. Examples of this include attorney-client privilege in the legal profession, strict privacy rules under HIPAA for healthcare records, and student information under COPPA and FERPA rules.
IT security risk is a serious issue. Businesses that are not experts in IT security issues benefit strongly by using a specialist consulting firm to help with the due diligence requirements in this area.
Sentree Systems Corp. gives data security advice for clients in Indiana serving the communities of Indianapolis, Avon, Plainfield, Carmel, Fishers, Noblesville and others. We recommend conducting a detailed review of the Service Level Agreement (SLA) from any vendor and a security audit to help identify security risks. It is much better to know in advance of the existence of potential security risks and take steps to mitigate them, rather than being blind-sided by sudden damage from a security breach that is not expected.
