Good news: Date nights are back on!
That’s correct … Mrs. Black and I headed out to an event a couple of weeks ago, doing our best to pick up where the pandemic found us back in early 2020.
Of course, our babysitter bullpen has been depleted over the past two-plus years. Some are now in college, some have full-time jobs, some have simply vanished.
Fortunately, Rachel found a babysitter – a friend of one of her friend’s babysitters.
Me: Rach, what is the babysitter’s name?
Rachel: Brianna. Brianna the babysitter.
Me: What’s her last name?
Rachel: “The babysitter”
Me: What can you tell me about her?
Rachel: She’s Sarah’s babysitter’s friend. She is in high school.
Me: How did she sound on the phone? What did her references say?
Rachel: Um … she’s Sarah’s babysitter’s friend. She is in high school.
Clearly, Mrs. Black was ready for a well-deserved night out. And while I would have grilled the babysitter on the phone and spoken to a reference or two, everything worked out fine.
We had a date night, the kids loved Brianna, and the house was still standing when we came home.
Vendor Security Reviews Are Important
Most medium-sized companies have hundreds of vendors spanning dozens of functions:
Payroll, finance, email, project management, marketing, communication, HR, benefits, and more. Also, any product that needs building will typically require many additional vendors.
Further, and because vendors are used by different departments, there is often no centralized system or consistent process for vetting, hiring, and managing them.
But wait, it’s even more complicated than that. Your vendors are not all the same – some are relatively unimportant while others can cause major problems for your company. Figuring out which is which can be a challenge.
With that in mind, here are some things to consider and steps to take…
Who are your vendors?
Absent a mature vendor management program, you probably don’t even know who all of your vendors are.
So, start by checking with your Accounts Payable department. They may not know about the ones that are paid by credit card, but it’s a good start.
Next, go department by department and ask for a list of all the vendors they work with and the systems used to track them. Again, it won’t be a complete list, but these two steps should get you 70% or more of the way there.
Don’t let perfect be the enemy of the good – just get started!
Which vendors are most important?
If your coffee supplier failed to deliver on schedule, while you might be faced with a disgruntled mob of under-caffeinated employees, your organization would (probably) survive. If your parts supplier shut down, well, that might be a different story.
Understanding what data is stored in which systems can be an important part of this discovery, too. It doesn’t matter where the company cat photos live; it matters a LOT where your confidential intellectual property is housed.
Take time as well to consider which systems are critical in delivering your services and how you would respond in the event of an outage.
If your customer support software is down for five minutes, you can probably recover. If it is down for five hours, you better have an alternate plan. Similarly, if you run a hospital, you could have a major problem on your hands if your backup power generator is not able to step up and work 100% of the time.
Focus on where you can have the greatest impact.
Most medium-sized companies are simply not big enough to warrant a comprehensive vendor management program. So apply the 80/20 rule based on the guidelines above and pay attention to the ones that really matter.
But… ignore the MOST important vendors. That’s right, you can ignore Microsoft, Google, AWS, Salesforce, and other large industry leaders.
First, because they already have comprehensive cybersecurity and backup programs in place. Second, because even if you wanted them to make changes on your behalf, unless you are the CTO (or similar) of a Fortune 500 company, you won’t get their attention.
Instead, you’ll get the most bang for your buck by focusing on the five to ten second-tier vendors that handle your important data and/or make up critical elements of your service. Examples include project management software, a key component-maker of your product, or the law firm that houses lots of your confidential information.
They want your business and are likely to be responsive to your requests. Plus, because they are second tier, they may not have the best security systems in place.
Here are some things to ask them:
- Can you provide documentation regarding your security program?
- Who has access to my data? How many people? How is access restricted?
- Is multi-factor authentication required to access my data?
- Where is my data stored? Where is it backed up?
- What is the frequency of patching for all relevant systems?
There are many more things you can ask (click here for a more comprehensive list and approach), but these will get you started.
Vendors Need to be Managed
Outsourcing various aspects of your business to capable third parties makes perfect sense – no company can or should do everything in-house.
But keep in mind that every time you entrust some aspect of your operation to an outsider, you are taking on a degree of risk. You can reduce that risk by choosing your vendors wisely, focusing your attention on the most critical, and asking enough questions to get a clear picture of how they operate.
Oh, and babysitters aside, it’s probably a good idea to ask for their last names, too.
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.