Names have been changed to protect the innocent.
Sue, the insurance gal, called me on a rainy Tuesday morning.
“I have a manufacturing client up your way. His e-commerce site went down last week, and there was no backup. The website is back online, but I think there’s some funny business going on. Do you think you could help him out?”
I explained to Sue that websites aren’t our usual business, but I like Sue, and I wanted to do what I could to help her and her client. So, I agreed to reach out to him.
Her client’s name is Charles “Chuck” Holloway.
Chuck owns a small manufacturing business in Santa Fe Springs. I gave him a call.
“Yeah, that’s right. My e-commerce site went down. It cost me $25 grand in lost business and then some.” Chuck continued, “But that’s not what I’m worried about. This guy didn’t know why the site was down, and he didn’t have my site backed up. Makes me think, ‘What else isn’t he doing?’”
Chuck has a point. The developer is responsible for hosting and maintaining a company asset that generates a significant part of his business’s revenue, and what Chuck doesn’t know could cost him a lot more than $25,000.
“Chuck,” I said, “You probably need to give your web developer a Vendor Security Risk Assessment. It will give you visibility into your web developer’s security posture and help you decide whether or not you want to continue doing business with him.”
A Vendor Security Risk Assessment (VSRA) is your best chance to protect your company and customer data from third-party risk.
In Chuck’s case, a VSRA would give him information about:
A very small business could find a vendor security risk assessment form online.
However, I highly recommend that an experienced fractional or virtual Chief Information Security Officer (vCISO) create and give the assessment to your vendors.
The vCISO could also ask for evidence to ensure the trustworthiness of the vendor's answers. Which, again, in Chuck’s case, would be critical to protecting his business from unnecessary and expensive downtime.
If you or someone you care about needs a cybersecurity risk assessment, vendor security risk assessment, or just a shoulder to cry on because they had a cybersecurity breach, give us a call at 866-680-3388. We're here to help.