Security Awareness for Vendors and Contractors
Introduction
Security awareness is of utmost importance in today’s business world. Your current organization most likely has a security awareness program and practically everyone else’s does as well.
What you may not realize is that security awareness is also essential for vendors and contractors that work with your organization. This article will detail the importance of security awareness for vendors and contractors and will give some insight into various considerations regarding your organization’s security awareness and which apply to your vendors and contractors.
Two year's worth of NIST-aligned training
Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.
Why You Should Care
Working with vendors and contractors is something that nearly every organization has to do in one form or another. You may be asking: why would security awareness for my vendors and contractors impact me? Simply put, you may be liable for their actions and this liability can cost your company big.
Third parties, including vendors and contractors, were responsible for sixty percent of data breaches in 2015 and these breaches potentially affected more than 41 million individuals. These breaches are caused by the actions of the vendor or contractor’s employees and can be correlated with a lack of an efficient security awareness program. Additionally, a report conducted in 2014 found that:
- 59% of employees store sensitive organization data in the cloud
- 58% store sensitive organization data on their mobile device
- 35% have clicked on an unknown email attachment sent by an unknown individual
- 33% use the same password for both work and personal purposes
This is just the tip of the iceberg for these statistics and in the end, these figures all boil down to one thing: security awareness is needed for vendors and contractors.
Considerations
Before you begin working with any subsequent vendors or contractors, take the following points into consideration when judging the vendor or contractor’s security awareness fitness.
1. Do They Practice What They Preach?
The first consideration is: Does the vendor or contractor have documented information security policies and procedures, and do the vendor or contractor’s employees follow them? Many small organizations choose to relegate information security practices to word-of-mouth as well — essentially disregarding the documentation end. To make matters worse, some organizations are way behind in updating their policies and procedures. An effective information security program within an organization will be documented, communicated to all applicable employees via security awareness training and updated to keep up with changes in the information security landscape.
2. Does the Vendor or Contractor Have Security Awareness Training for Their Employees?
The more exposed to security awareness issues an employee is, the more sensitive they often will be when issues arise. Under those circumstances, they are also more likely to inform their manager or supervisor. The benefits of your vendor or contractor having security awareness training are invaluable and will prove to go the distance in helping to shield you from actions that may invoke your liability.
The most logical next question is: what should your vendor or contractor’s security awareness training include? There is no set definition of what it must contain, but it has to go beyond simply requesting that your employees read related regulations such as the HIPAA act (which applies to the healthcare industry). Sadly, though, this is the extent to which some contractors will provide “training.”
3. Evaluating a Vendor or Contractor’s Security Awareness Training
So you have verified that your vendor or contractor has implemented a security awareness training program. At this point you are strongly encouraged to evaluate their program. Below are two key indicators that will help you make an informed decision about the vendor or contractor’s security awareness.
Documentation
Documentation is one of the best trails of evidence a vendor or contractor can provide to prove they have adequate security awareness training. A good security awareness training program will generate a good amount verifiable data by way of documentation — including training session attendance lists, certificates of completion, questions asked by the trainees and documented proof of teachable moments and trainable moments.
Non-Documentation
There are some other non-documentation factors that should be analyzed to get a better idea of the vendor or contractor’s security awareness. These factors include:
- Training should be based upon solid instructional design principles
- Whether the class is interactive
- Whether the training addresses top information security threats and concerns
- Administrator reporting capabilities
- Can be easily measured for effectiveness — data can be gathered via surveys and information security reporting
The best way to evaluate all of this is to sit in on a security awareness training session hosted by the vendor or contractor. The vendor or contractor would most likely be more than happy for you to sit in on a session. If there are no scheduled training sessions anytime soon, you can also get a feel for all this by having a conversation with the trainer or the member of the security department responsible for training while reviewing their training materials.
4. The Service-Level Agreement (SLA)
The SLA is really your go-to in regard to establishing the rules of your relationship with your vendors and contractors. Working with third-party vendors and contractors opens up your organization to new risks and the impact felt by these relationships needs to be addressed by your SLA. A solid SLA will include a provision requiring security awareness training within the vendor or contractor’s organization. It is a good idea to require the security awareness training to be approved by your organization before you strike up a partnership; this will help your organization cover itself if the training is deemed inadequate.
Conclusion
Working with third-party vendors and contractors is very common, but not without exposing your organization to some risk. Any fear of these risks should be quashed by performing an analysis of your vendor or contractor’s security awareness fitness as detailed above. Couple this analysis with a strong SLA and you will minimize, mitigate and possibly remove any liability to your organization from a vendor or contractor’s lack of security awareness fitness.
Sources
Hiring contractors? 5 areas to check information security practices, Dell
Why Work with Vendors That Don’t Exhibit Cybersecurity Awareness?, My TechDecisions
Key Findings from Security Awareness Training Survey Unveiled by Security Mentor and Enterprise Management Associates, SecurityMentor
Get six free posters
Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.
Report Summary - Security Awareness Training: It's Not Just for Compliance, EMA
In this Series
- Security Awareness for Vendors and Contractors
- Tax scam season: How to protect your data from common scams in 2024
- Security awareness for kids: Tips for safe internet use
- Celebrate Data Privacy Week: Free privacy and security awareness resources
- Consumer data, who owns it and who protects it?
- Human error is responsible for 74% of data breaches
- What is a social engineering attack?
- Biggest cybersecurity mistakes by large organizations
- 4 common social media scams (and how to avoid them)
- From theory to practice: Designing a successful security awareness training program
- Understanding cyberattacks: Types, risks and prevention strategies
- Securing digital frontiers: The importance of information and IT security awareness training
- Optimizing your corporate security awareness training: Strategies and techniques
- What is security awareness: Definition, history and types
- Top 10 security awareness training topics for your employees in 2023 and beyond
- AI best practices: How to securely use tools like ChatGPT
- Connecting a malicious thumb drive: An undetectable cyberattack
- 5 ways to prevent APT ransomware attacks
- 4 mistakes every higher ed IT leader should avoid when building a cybersecurity awareness program
- ISO 27001 security awareness training: How to achieve compliance
- Run your security awareness program like a marketer with these campaign kits
- Deepfake phishing: Can you trust that call from the CEO?
- Fake shopping stores: A real and dangerous threat
- 10 best security awareness training vendors in 2022
- How to hack two-factor authentication: Which type is most secure?
- Malicious push notifications: Is that a real or fake Windows Defender update?
- Free Cybersecurity and Infrastructure Security Agency (CISA) ransomware resources to help reduce your risk
- How IIE moved mountains to build a culture of cybersecurity
- At Johnson County Government, success starts with engaging employees
- How to transform compliance training into a catalyst for behavior change
- Specialty Steel Works turns cyber skills into life skills
- The other sextortion: Data breach extortion and how to spot it
- Texas HB 3834: Security awareness training requirements for state employees
- SOCs spend nearly a quarter of their time on email security
- Security awareness manager: Is it the career for you?
- Risks of preinstalled smartphone malware in a BYOD environment
- The ROI of security awareness training
- 5 reasons to implement a self-doxxing program at your organization
- What is a security champion? Definition, necessity and employee empowerment [Updated 2021]
- Excel 4.0 malicious macro exploits: What you need to know
- Worst passwords of the decade: A historical analysis
- ID for Facebook, Twitter and other sites? Not so fast, says security expert
- 3 surprising ways your password could be hacked
- Fake online shopping websites: 6 ways to identify a fraudulent shopping website
- All about carding (for noobs only) [updated 2021]
- Password security: Complexity vs. length [updated 2021]
- What senior citizens need to know about security awareness
- 55 federal and state regulations that require employee security awareness and training
- Brand impersonation attacks targeting SMB organizations
- How to avoid getting locked out of your own account with multi-factor authentication
- Breached passwords: The most frequently used and compromised passwords of the year
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
Security awareness
Tax scam season: How to protect your data from common scams in 2024
Security awareness
Security awareness
Celebrate Data Privacy Week: Free privacy and security awareness resources
Security awareness