Vendor Due Diligence During a Crisis

by Sarah Harvey / April 10th, 2020

For years, businesses have relied on third-party vendors to provide critical business functions, and this especially true today as the surge of remote workers continues and third-party vendors work tirelessly to meet the influx in demand. Third-party vendors are also doing what they can to help offset the impact of the health crisis – they’re banding together to offer free products and services. As we all adjust to social distancing and working from home, telecommunication and collaboration services from companies like Microsoft, Google, Slack, Cisco, LogMeIn, and Zoom have tried to make it easier for people to connect by offering part of their services for free. Other software and technology providers are giving free access to premium-level products. However, as remote work becomes the new norm, these “free” services might actually turn out to be more harmful and helpful as you navigate this crisis if you don’t know what to look for when partnering before you partner with them. As businesses across the globe start to take advantage of the waived sign-up fees, longer free trial periods, and suspended payments during this time of uncertainty, they also need to be cautious of who they’re really partnering with.

What Should You Be Looking for When You Partner with Third-Party Vendors?

No matter what is going on in the world, third-party vendors will always introduce additional risks into your environment. With the uncertainty of how long the coronavirus pandemic will last, it’s more important than ever to analyze what those risks are and how they could potentially impact the continuity of your business. Here’s how you can do it.

  1. Start with the general information. Get to know the business before you sign up for anything! What is their mission statement? Does it align with yours? What are all of the services they offer? What does the company structure look like? Where are they located? How will the services continue during a WFH environment?
  2. Conduct a financial review. As the economy continues to be in distress, can you rely on the vendor to stay in business? Are they stable enough? What would be the impact to your company if they went out of business?
  3. Determine the reputational risk. Is this a well-respected company? How could partnering with them potentially damage your organization in the future?
  4. Verify insurance. A lot is out of our control right now. If you decide to partner with a third-party vendor, insurance is a necessity. You should validate that your vendor has general liability and cybersecurity insurance, as well as insurance related to any specific services.
  5. Perform an information security technical review. Now is not the time to skip steps and lack thoroughness. If you’re trusting a third-party vendor with your critical assets, you need to know what their security hygiene looks like.
  6. Review policies. To ensure you know exactly how your vendor conducts business, be sure to review their policies.

Case Study: Zoom’s Mishap

Zoom offers a variety of collaboration tools, but over the last few weeks, the company has seen a demand for their services like never before as after they announced that many of their services would be free. By scaling from 10 million users per day to 200 million users, it seemed quite likely that Zoom would become an instant target for data breaches. And they were. Over the last few weeks, it seems like Zoom has faced a new security challenge every day, from “Zoombombing” to lawsuits to a ban for Google employees. This has left Zoom hurrying to remediate the exploited vulnerabilities and millions of users’ security compromised.

There is a silver lining in all of this, though. The security incidents coming from Zoom have exposed the heightened need for consumers and businesses to analyze – or even scrutinize – any third-party vendor they work with.

Don’t let this time of fear of the unknown keep you from being vigilant when it comes to protecting your business and employees against cyber attacks. Make sure you do your due diligence when partnering with third-party vendors, no matter what’s going on in the world. Contact us now to find out how we can help.

More Vendor Due Diligence Resources

What to Look for in a Quality Vendor

How to Read Your Vendor’s SOC 1 or SOC 2 Report

Common Gaps in Vendor Compliance Management