6 Common Misconceptions Regarding Vendors’ Data Security Risk

Fact - Myth signpost isolated on white background


Do Any of These Beliefs about Data Security Risk Sound Familiar?

#1 If a vendor has been certified as PCI or HIPAA compliant, procurement can skip the security review.

Not a good idea.

  •      Regulatory compliance is just one data point. A vendor can be PCI compliant on a very specific portion of its technology yet have weak controls in other areas  
  •      Most products and applications that are PCI or HIPAA compliant fall into noncompliance quickly because they are often implemented with weak controls or over time, due to environmental changes, the original compliant configurations weaken enough to make them non-compliant.
  •      Vendors may be PCI or HIPAA compliant but their subcontractors and suppliers may ultimately put them out of compliance, putting your organization at risk
  •      Companies must be reviewed for data security risk annually to remain compliant
  •      Be wary of vendors who make a product seem too good to be true. There is no magic bullet that will make your network completely PCI or HIPAA compliant. Most vendors overstate their claims and promise much more than they can deliver. In the event of a security breach, consumers won’t care whether the fault lies with your business or with your vendor partner.

#2 Because we are a privately held company, we don’t need to demonstrate the same level of data security risk due diligence as a public company; we are also not required to disclose any data breaches.

Not true.

  •      Wow.  Are there still people in positions of power that believe this?
  •      Both public and private companies must disclose whether there has been a data breach involving PII and regulated data – that’s the bottom line. There is no get-out-jail card for private companies.
  •      California and other states have strictly regulated data breach notification policies based upon the size of the breach not whether or not a company is publicly or privately held.

#3 If we were to have a data breach our customers would continue to do business with us if it wasn’t our fault.

Research has shown that it doesn’t matter how a breach occurs – a serious breach picked up by the media can have a negative impact on revenue and company valuation.

  •      Ask Target
  •      Then ask Home Depot
  •      When consumer satisfaction, trust, and confidence drops due to a data breach it has a huge impact on the bottom line.   Make no mistake, if your customer loses trust and confidence in your ability to protect their data, they will go elsewhere and – even worse – they will black list you via social media where their rants can spread like wild fire.

#4 If a data breach occurred, our executive team is not liable and won’t be held responsible

Depends on the publicity and consumer impact of the data breach.

  •      Whoops! Take a look at the Target breach in Jan 2014.
  •      Executives including the CISO were fired.
  •      When the impact of a data breach affects shareholder value, consumer confidence and loyalty, and ultimately bottom-line revenue, it’s time to dust off the resume.  One of the few teams that usually emerges unscathed after a major breach is the Procurement Team – even in the case of a data breach attributed to a third party service provider that Procurement opted out of a risk assessment.  
  •      How much longer do you think that the Procurement Team will escape accountability?

#5 All open connections into my environment are well known and are properly managed and monitored.

Be careful – if you believe you are completely secured, you may miss something.

  •      External connectivity needs are changing all the time to support vendor engagements. Temporary connections are often left in place and become permanent and over time it’s these temporary connections that are forgotten or don’t properly protect data and can become a big data security risk.
  •      Precisely what happened at Target and Goodwill.

#6 My vendors signed contracts that assert that their security and privacy controls are strong and effective – so why do I need to do anything more to verify this?

Common misconception.

  •      Procurement should use an objective process to determine which vendors require a data security assessment.
  •      The fact that a vendor asserts these claims won’t protect you in the court of public opinion should a major data breach occur.
  •      Relying on Vendor attestations is never a good idea – even cherry picking, using the old-school Russian roulette process of assessing vendors is more reliable.
  •      Procurement should implement a “trust but verify” model for long-term successful and safe vendor engagements.