Skip to main content

Not many small businesses do business these days without the services of third-party vendors, some of whom have access to your company’s sensitive information. Even if you run a tight cybersecurity ship, what happens if your accountant loses a laptop or the payroll company that connects to your network experiences a security breach? Your business could be in jeopardy, of course, but that’s not all. Regardless of the circumstances surrounding the vendor’s breach, customers may focus on the fact that they trusted you with the data and now they’re at risk for identity theft.

So it’s in your interest to be very interested in how the companies you work with protect personal information. The FTC has new cybersecurity resources for small businesses with tips on keeping tabs on your vendors’ security practices.

How to monitor your vendors

Vendor SecurityWhen you transfer sensitive information to a vendor – whether it’s confidential paperwork or digital data – what steps can you take to help secure it?

  • Put it in writing. Spell out your security expectations up front and include specific provisions in your contracts about protecting data. If a vendor vacillates, maybe they’re not the right partner for you.
  • Verify compliance. “Trust, but verify,” as the adage goes. Don’t just take vendors at their word. Establish a process so you can confirm they’re following your rules.
  • Make changes as needed. Cyber threats are constantly morphing. Make sure the security methods your vendors use are up to date – and up to your data.

How to protect your business

If vendors have access to your network, what can you do to reduce the risk of a mishap?

  • Control access. Not everybody needs a backstage pass to your company’s sensitive information. When there is a legitimate business need for a certain vendor to have access, grant it on a need-to-know basis and only for the time it takes the vendor to complete the task.
  • Safeguard your data. Use strong encryption and configure it properly. That helps protects sensitive information as it’s transferred and stored.
  • Secure your network. Require strong passwords: at least 12 characters, both capital letters and lower-case, and a mix of numbers and symbols. Don’t reuse passwords and don’t share them. To stymie password-guessing software, use tools to limit the number of unsuccessful log-in attempts.
  • Use multi-factor authentication. Rather than relying just on a password, insist that vendors take an additional step – maybe a temporary code on smartphone or a key inserted into a computer – before accessing your network.

What to do if a vendor has a security breach

  • Contact the authorities. Report the attack right away to your local police. Some departments have special cybercrime units. But if they’re not familiar with investigating data incidents, contact your local FBI.
  • Confirm the vendor has a fix and follows through with it. Insist on straight answers from your vendor and an effective plan of action to correct vulnerabilities. If you choose to continue as a customer, ask for specifics on what they’re doing to keep your data safe going forward.
  • Notify customers. If customer or employee information was compromised, notify the affected parties, who may be at risk for identity theft. Read Data Breach Response: A Guide for Business for more advice and refer concerned people to

The FTC has a factsheet about vendor security. Make it required reading for any employee who interacts with vendors. There is a short quiz to evaluate if they’ve mastered the basic principles.

If cybersecurity issues are on your mind, you may be thinking about the related issue of cyberinsurance. When we met with small business owners to hear about their cyber concerns, they had questions about that topic. We’re happy to pass along this information with thanks to the National Association of Insurance Commissioners (NAIC) for their role in developing it.

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.

The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.

  • We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
  • We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
  • We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
  • We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to

We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.

December 21, 2018
What about Non-profit organizations that have old business models that you have to adhere to in order to run your business? Third parties create vulnerabilities.

Get Business Blog updates