Vendor selection should prioritize security over low-cost when it comes to protecting data

The days when South African companies could hope to escape the attention of cybercriminals are long gone. That became evident once again in February when the personal data of 1.7-million Nedbank clients was exposed by a third party vendor.

Such events are a potent reminder that companies cannot afford to make vendor decisions based purely on price when information security and data protection are at stake. That’s especially true when it comes to choosing a third-party supplier that will be processing customers’ personal data. Here, the low price may be at the expense of proper information security practices.

And in a world where the average breach costs R43.3-million and can do serious reputational damage, that’s not a risk worth taking.

Outside of those considerations, it’s also worth remembering that failing to properly secure customer data could soon land organizations in a pile of legal trouble.

The long-awaited Protection of Personal Information Act (POPI) may finally be enacted in April this year. Assuming a 12-month grace period, this means that companies will have to comply by April 2021. Rather than rushing to be compliant just before the grace period ends (as happened with the European Union’s GDPR), organizations should work on complying now.

This won’t only save them time and effort later on, but ensure that they’re better prepared for a data breach than they would otherwise have been. And those preparations should, of course, include choosing the right third-party vendors.

Choosing a vendor

When looking for a vendor that will process personal data, the first consideration needs to be security – how they protect the information in their care, what policies and procedures are in place, and whether all of their employees are trained on information security practices.

Here are the fundamental questions to ask a vendor:

Do you have an information security management system and can you show evidence of this in practice?

This refers to the documents and processes a company must have to adequately manage its security practices. It is not good enough to just have the documentation, the vendor needs to show evidence that the security processes are integrated into their operations.

How often do you review your information security policies and how are your employees trained on these?

A company should review policies at least annually. Likewise, all employees that touch protected information or resources must be fully trained on the security practices and this training must be repeated annually.

Do you perform annual security audits?

Security best practices change all the time to address new threats. A security audit should be conducted at least once a year.

Do you have an applicable certification to show your level of compliance with information security best practices?

Knowing the vendor has successfully passed a certification audit such as ISO 27001 gives you peace of mind that their security practices are mature and maintained. If the vendor is not certified, you will need to conduct an information security audit as part of your selection process.

Capability over cost

Ultimately, the third-party vendor any organization chooses should be the most capable one, rather than the cheapest. As many organizations have discovered over the years, using a low-cost vendor now can end up costing massively in the long term.

Any vendors that deal with customer data should be able to answer the above questions and also demonstrate a solid track record when it comes to protecting personal data.

Choose the right vendor and companies can build trust and loyalty, both of which are invaluable. Get it wrong, and the reputational and financial risks are potentially massive.

Feature image: George Becker via Pexels