Every day, more and more small and mid-size businesses are asked to show proof of their cybersecurity compliance to maintain business contracts. These requests have different names, such as “Third-Party Assessment Questionnaire”, “Vendor Cybersecurity Assessment” or “IT Security Questionnaire”, but all create a sense of anxiety and sleepless nights.
Not all businesses have the personnel or expertise to fulfill the request in the allotted time frame. If a business hasn’t started their journey to compliance at all, they are in even greater need to build a cybersecurity, compliance and privacy program quickly.
Noncompliant Vendors = Weak Link
In 2019, Spiceworks surveyed 600 IT decision-makers about their cybersecurity posture and reported that “nearly half (44 percent) of firms had experienced a significant, business altering data breach caused by a vendor”[1]. With businesses having an almost 1 in 2 chance to be breached because of a vendor, big businesses are forced to restructure vendor relationships and compliance requirements to protect themselves and their private data.
Don’t Tell Me You’re Cybersecure, Show Me Your Compliance
State agencies, the Department of Defense through CMMC, major medical conglomerates and more are no longer taking their vendors’ word that they are compliant. Businesses are being handed extensive, complicated surveys to complete plus submitting documentation that supports their claim to compliance.
It’s a Risk Evaluation Disguised as a Survey
These requests are extensive, time consuming and can be extremely costly if a business doesn’t complete them.
These questionnaires are sent in order to evaluate the vendor’s cybersecurity and compliance program and to understand the risks involved with using that company’s product or service. They include specific questions regarding policies and procedures that go beyond IT security. The detail and time requirements for these questionnaires are increasing. Typically, these surveys cover topics ranging from:
- Third-party performed security risk assessment
- Security IT audits and penetration testing
- Internal information security practices and policies
- Personnel policies, hiring practices and training programs regarding cybersecurity awareness
- Security certifications
- Service Level Agreement and uptime vs. downtime
- Web application security
- Physical and datacenter security
- Infrastructure security
- Business continuity and incident response
- Third party risk management
Not only are there a wide range of topics, but the questions are in-depth and require documented proof that policies and procedures for information security have been approved, communicated appropriately, and how they are being managed and monitored.
These evaluations bring 2 levels of anxiety to a vendor. First, completing it within the given time frame takes know-how, time and a concerted effort. Second, what you submit needs to show you are a low-risk vendor they want to continue to do business with.
Get the Support and Guidance You Need
At CyberCompass, we work across multiple industries, from aerospace, finance, healthcare, manufacturing to telecommunications, with vendors who were asked to prove compliance quickly or face the loss of contracts. The power of our automated tool allows us to complete multiple regulation assessments in a fraction of the time. We build a custom risk management plan, create policies and procedures per the regulation, build strategic plans and help implement across the business ecosystem.
Not sure of your next steps? Talk to one of our experts about what pressures your business is facing. Contact us today to see how we can help you protect your business and sleep better at night.
[1] https://www.helpnetsecurity.com/2019/04/24/nearly-half-of-firms-suffer-data-breaches-at-hands-of-vendors/
