Updated 07/24/2023

Cybersecurity | Backup and Disaster Recovery


Names have been changed to protect the innocent. 

Sue, the insurance gal, called me on a rainy Tuesday morning.

“I have a manufacturing client up your way. His e-commerce site went down last week, and there was no backup. The website is back online, but I think there’s some funny business going on. Do you think you could help him out?”

I explained to Sue that websites aren’t our usual business, but I like Sue, and I wanted to do what I could to help her and her client. So, I agreed to reach out to him.

Her client’s name is Charles “Chuck” Holloway.

Chuck owns a small manufacturing business in Santa Fe Springs. I gave him a call.

“Yeah, that’s right. My e-commerce site went down. It cost me $25 grand in lost business and then some.” Chuck continued, “But that’s not what I’m worried about. This guy didn’t know why the site was down, and he didn’t have my site backed up. Makes me think, ‘What else isn’t he doing?’”

Chuck has a point. The developer is responsible for hosting and maintaining a company asset that generates a significant part of his business’s revenue, and what Chuck doesn’t know could cost him a lot more than $25,000.

“Chuck,” I said, “You probably need to give your web developer a Vendor Security Risk Assessment. It will give you visibility into your web developer’s security posture and help you decide whether or not you want to continue doing business with him.”

Chuck agreed.


How Vendor Security Risk Assessments Protect YOU.

A Vendor Security Risk Assessment (VSRA) is your best chance to protect your company and customer data from third-party risk.

In Chuck’s case, a VSRA would give him information about:

  • His vendor’s business continuity and disaster recovery planning.
  • How and where backups are stored.
  • Whether the backups are tested and validated on a regular basis (an important step that a lot of organizations don’t bother to do).
  • How the vendor would handle any IT incident that involves downtime or data loss (not just cyberattacks).
  • The general security and resiliency of the application they’ve built and are hosting.
  • Insight into the organization’s general information security practices.

A very small business could find a vendor security risk assessment form online.

However, I highly recommend that an experienced fractional or virtual Chief Information Security Officer (vCISO) create and give the assessment to your vendors.

The vCISO could also ask for evidence to ensure the trustworthiness of the vendor's answers. Which, again, in Chuck’s case, would be critical to protecting his business from unnecessary and expensive downtime.

If you or someone you care about needs a cybersecurity risk assessment, vendor security risk assessment, or just a shoulder to cry on because they had a cybersecurity breach, give us a call at 866-680-3388. We're here to help.