Assessing the Security Risks of Conducting Business with Small- and Mid-Sized Vendors

Every vendor with which you exchange electronic data represents a potential security risk. Whether it’s a specialized law firm, a value-added reseller delivering technology, a consultant, or an off-shore service provider, it’s important to understand those risks—before they access your infrastructure, your business systems, your intellectual property and your data.

If a vendor gains access to your data—through email, electronic data exchange, log-ins to your servers, a website portal or your cloud services—anyone who hacks them also gains access to your business. 

Risk Assessments for Smaller Vendors: A Staged Approach

Small- and medium-sized companies typically do not have the resources and expertise to properly measure their security posture. At the same time, no single method of performing a thorough third-party risk assessment fits all vendors.


To take on this challenge, DatumSec recommends assessing each of your vendor’s “Indicators of Posture” from both an external and internal view:

With these two views, you can then establish a third-party risk baseline and proportionally map out a risk baseline on every vendor in the same way. This then enables your vendors to perform their own assessments in order to meet that defined baseline.

In the end, you improve the overall security posture of all your vendors so that your security posture rises as well.