These small vendors may not even have dedicated IT staff, let alone a security team. Still, they often handle sensitive data and connect directly to enterprise systems. This represents a vulnerability for not just these businesses, but everyone partnered with them.  

But how can your team help secure these critical third-party relationships without expecting small vendors to operate like Fortune 500 companies? We'll explore some options that'll help you be part of the solution.

1. Communicate clear, prioritized expectations 

Remember, many vendors want to do the right thing. Oftentimes, they just need guidance. Perhaps it's time to rethink requiring long security questionnaires or demanding full ISO 27001 compliance. Look into a tailored, risk-based approach. Identify the data, systems, or processes the vendor will access and set expectations proportionate to that risk.  

Draft a simple security checklist that outlines your baseline expectations for a vendor. This might include: 

• Using MFA 

• Downloading and installing software updates regularly 

• Encrypting data in transit and at rest 

• Regular security training for employees that covers topics like phishing and passwords 

2. Offer vendors tools and templates 

Many small vendors don’t know where to start. You can kickstart their security posture by offering some practical help. Fortunately, you don't have to create tools from scratch. You can just send them some links to help them get started. Furthermore, if your organization has templates for security policies, incident response plans, or acceptable use guidelines, consider sharing them. 

There are low-cost cybersecurity tools designed specifically for small businesses. 

• Microsoft’s Defender for Businesses 

• The NIST Small Business Cybersecurity Corner 

• CyberSecure My Business from the NCA (that's us!) 

3. Promote the basics 

You don’t need cutting-edge AI or a room full of servers to prevent many cyber incidents. TPRM professionals should encourage smaller vendors to focus on doing the basics reliably: 

Patch known vulnerabilities

• Use strong, unique passwords with a password manager for all accounts

• Enable MFA on all accounts

• Back up data regularly – and test the backups

• Communicate with their staff about common scams – be specific with directives like, “I’ll never ask you to buy me gift cards” 

4. Position cybersecurity as part of the business relationship 

Rather than seeing security as a barrier, work to frame it as a partnership. We recommend formalizing this approach by incorporating cybersecurity language into contracts and service-level agreements (SLAs). Discuss security early in the vendor relationship. Then, you can maintain a spirit of cooperation and collaboration, which will help your vendors feel supported rather than scrutinized. 

Here are ways to keep cybersecurity front and center: 

• Include cybersecurity obligations in contracts 

• Request annual check-ins or assessments 

• Discuss how critical is that vendors notify you of incidents early 

5. Wield your influence 

As a larger partner, your organization has significant influence – perhaps even more than you realize. Work to encourage security improvements in a supporting way instead of merely demanding change.   

You can operate with a spirit of collaboration by: 

• Host a vendor cybersecurity webinar or encourage them to take part in Cybersecurity Awareness Month!      

• Create a private resource portal for vendors -- feel free to use ours! 

• Provide feedback on their policies or tools 

Cybersecurity is a team sport 

It's a common refrain among security folks these days, but cybersecurity is truly a team sport. And your third-party vendors are part of your team even if you aren't officially coworkers. Helping smaller vendors stay secure is about risk reduction, but it also assists with building resilient partnerships.  

To learn more about staying safe online, sign up for our newsletter! Our CyberSecure My Business program is an excellent offering for small vendors – let us help you!