Security awareness

Security Awareness for Vendors and Contractors

Greg Belding
February 4, 2019 by
Greg Belding

Introduction

Security awareness is of utmost importance in today’s business world. Your current organization most likely has a security awareness program and practically everyone else’s does as well.

What you may not realize is that security awareness is also essential for vendors and contractors that work with your organization. This article will detail the importance of security awareness for vendors and contractors and will give some insight into various considerations regarding your organization’s security awareness and which apply to your vendors and contractors.

Two year's worth of NIST-aligned training

Two year's worth of NIST-aligned training

Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.

Why You Should Care

Working with vendors and contractors is something that nearly every organization has to do in one form or another. You may be asking: why would security awareness for my vendors and contractors impact me? Simply put, you may be liable for their actions and this liability can cost your company big.

Third parties, including vendors and contractors, were responsible for sixty percent of data breaches in 2015 and these breaches potentially affected more than 41 million individuals. These breaches are caused by the actions of the vendor or contractor’s employees and can be correlated with a lack of an efficient security awareness program. Additionally, a report conducted in 2014 found that:

  • 59% of employees store sensitive organization data in the cloud
  • 58% store sensitive organization data on their mobile device
  • 35% have clicked on an unknown email attachment sent by an unknown individual
  • 33% use the same password for both work and personal purposes

This is just the tip of the iceberg for these statistics and in the end, these figures all boil down to one thing: security awareness is needed for vendors and contractors.

Considerations

Before you begin working with any subsequent vendors or contractors, take the following points into consideration when judging the vendor or contractor’s security awareness fitness.

1. Do They Practice What They Preach?

The first consideration is: Does the vendor or contractor have documented information security policies and procedures, and do the vendor or contractor’s employees follow them? Many small organizations choose to relegate information security practices to word-of-mouth as well — essentially disregarding the documentation end. To make matters worse, some organizations are way behind in updating their policies and procedures. An effective information security program within an organization will be documented, communicated to all applicable employees via security awareness training and updated to keep up with changes in the information security landscape.

2. Does the Vendor or Contractor Have Security Awareness Training for Their Employees?

The more exposed to security awareness issues an employee is, the more sensitive they often will be when issues arise. Under those circumstances, they are also more likely to inform their manager or supervisor. The benefits of your vendor or contractor having security awareness training are invaluable and will prove to go the distance in helping to shield you from actions that may invoke your liability.

The most logical next question is: what should your vendor or contractor’s security awareness training include? There is no set definition of what it must contain, but it has to go beyond simply requesting that your employees read related regulations such as the HIPAA act (which applies to the healthcare industry). Sadly, though, this is the extent to which some contractors will provide “training.”

3. Evaluating a Vendor or Contractor’s Security Awareness Training

So you have verified that your vendor or contractor has implemented a security awareness training program. At this point you are strongly encouraged to evaluate their program. Below are two key indicators that will help you make an informed decision about the vendor or contractor’s security awareness.

Documentation

Documentation is one of the best trails of evidence a vendor or contractor can provide to prove they have adequate security awareness training. A good security awareness training program will generate a good amount verifiable data by way of documentation — including training session attendance lists, certificates of completion, questions asked by the trainees and documented proof of teachable moments and trainable moments.

Non-Documentation

There are some other non-documentation factors that should be analyzed to get a better idea of the vendor or contractor’s security awareness. These factors include:

  • Training should be based upon solid instructional design principles
  • Whether the class is interactive
  • Whether the training addresses top information security threats and concerns
  • Administrator reporting capabilities
  • Can be easily measured for effectiveness — data can be gathered via surveys and information security reporting

The best way to evaluate all of this is to sit in on a security awareness training session hosted by the vendor or contractor. The vendor or contractor would most likely be more than happy for you to sit in on a session. If there are no scheduled training sessions anytime soon, you can also get a feel for all this by having a conversation with the trainer or the member of the security department responsible for training while reviewing their training materials.

4. The Service-Level Agreement (SLA)

The SLA is really your go-to in regard to establishing the rules of your relationship with your vendors and contractors. Working with third-party vendors and contractors opens up your organization to new risks and the impact felt by these relationships needs to be addressed by your SLA. A solid SLA will include a provision requiring security awareness training within the vendor or contractor’s organization. It is a good idea to require the security awareness training to be approved by your organization before you strike up a partnership; this will help your organization cover itself if the training is deemed inadequate.

Conclusion

Working with third-party vendors and contractors is very common, but not without exposing your organization to some risk. Any fear of these risks should be quashed by performing an analysis of your vendor or contractor’s security awareness fitness as detailed above. Couple this analysis with a strong SLA and you will minimize, mitigate and possibly remove any liability to your organization from a vendor or contractor’s lack of security awareness fitness.

 

Sources

Hiring contractors? 5 areas to check information security practices, Dell

Why Work with Vendors That Don’t Exhibit Cybersecurity Awareness?, My TechDecisions

Key Findings from Security Awareness Training Survey Unveiled by Security Mentor and Enterprise Management Associates, SecurityMentor

Get six free posters

Get six free posters

Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.

Report Summary - Security Awareness Training: It's Not Just for Compliance, EMA

Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.