Sourcing Responsibility to Vendors Could Be Your Biggest Mistake

In a recent survey, the Institute of Internal Auditors Research Foundation found that third-party vendors play an important role in about two-thirds of businesses across the country. For small businesses especially, this business practice has become the norm, and for good reason. Vendors can cut costs and increase the efficiency of your company significantly, giving you the freedom to focus on what you do best at the lowest possible cost.

OutsourcingStill, this trend comes with its own set of drawbacks. In particular, companies have begun to confuse the outsourcing of business processes with the outsourcing of responsibility. As a result, they’ve created massive security vulnerabilities. In fact, the same IIA survey found that third-party vendors were responsible for about two out of every three data breaches.

While the blame may lie at a vendor’s feet, your angry customers won’t see it that way. More than likely, you’ll bear the brunt of the backlash. Just look at Target: A third-party HVAC company was largely at fault for its massive 2013 data breach, but Target shouldered the responsibility, not the vendor.

Unfortunately, you can’t simply wash your hands of your vendors’ security problems — no matter how much you may want to. You need to take every part of your small business’s safety into your own hands. Take these five steps to get started:

1. Start with the contract. A contract between you and your third-party vendor is a great start, but you need to be very clear about how it will be enforced and monitored. Ask, “Is this done on an ongoing basis?” “What are the service-level agreements?” and “How are they tracked?” Determine whether your organization has a process or mechanism to inventory your vendors and service providers and perform a risk assessment.

These questions should be fully answered before you sign anything, and they should be monitored and reevaluated for compliance on a regular basis.

2. Determine your risks. Risk is often cast in a negative light. However, risk is an opportunity to optimize your business that can lead to more efficient and streamlined processes. Start by researching and cataloguing the ways in which outsourcing a particular business process leaves you vulnerable. Can you do something on your end to protect yourself? What are your vendors doing to ensure the safety of your data? If you know what’s at risk, you can identify the best way to protect it.

3. Take an inventory of your vendors. Survey your department heads to see which vendors are being used in each department and how they’re being managed. While IT certainly plays an important role in vendor management, it’s not just an IT issue. Every department must play its part.

4. Create a workflow. Establish workflows within your organization to manage and address third-party risks. For instance, mapping out the workflow with a responsibility assignment matrix can help you figure out what your employees’ roles and responsibilities are in terms of managing vendor security.

5. Find the right tools for the job. You don’t have to develop your own risk management tools, especially if you’re short on time and resources. As vendors continue to play a bigger role in the small business arena, more and more vendor management tools have sprung up.

Organizations like ISACA (formerly known as the Information Systems Audit and Control Association) and programs such as the Shared Assessments Program have created suites of tools to manage vendor risk and ensure compliance. A governance, risk, and compliance tool will help you manage your processes and policies to ensure they’re being followed.

Whether you’re conducting your business in-house or through a third-party vendor, the security responsibility will always lie at your company’s feet. By monitoring your vendors and consistently reassessing how they’re being managed, you can ensure the security of your vendors and the safety of your employees and customers.

About the Author

Brad Thies is principal at Barr Assurance & Advisory Inc., a risk consulting and compliance firm that provides business performance, information technology, and assurance services to clients across a variety of industries. He specializes in helping clients assess, design, and implement processes and controls to meet customer, regulatory, and compliance requirements. Brad is a certified public accountant and a certified information system auditor with more than 10 years of experience in the industry.