Welcome to our video series, innovators in Privacy Tech! At our global user conference in London, PrivacyTECH, we interviewed the best and the brightest minds in the privacy industry for their insights on everything from the California Consumer Privacy Act (CCPA), the future of privacy, how to achieve sustainability in your privacy program and more.
Today we have Dave Oldham, Third Party Risk Consultant at Vanquis Bank. With over 4 million customers, Vanquis Bank is the largest dedicated specialist ‘low and grow’ credit card issuer in the UK credit card market serving those customers who are sometimes excluded by the bigger high street banks.
Red Flags When Assessing Vendors
Oldham notes that one of the red flags you need to consider when assessing vendors is the lack of penetration testing. If a vendor doesn’t know what their vulnerabilities are, then how are you going to know as well? Oldham continues on to explain that he has come across companies that just don’t do it, so when you’re asking them what do they do and how do they know they have no vulnerabilities at all, they only give assurance based on no knowledge at all, rather than providing a report. Another red flags is if a vendor doesn’t seem to have any internal controls of their data in their system. It’s important to not only have policies in place, but policies that have depth and detail.
What Companies Should Look for When Assessing Vendors
When assessing vendors, Oldham advises companies to look at the health of the vendor, from a financial point of view to see whether they are financially viable. Then, when you go to look at the security side, you need to understand whether the vendor has a similar outlook on security as your company does. If you’re spending a lot of money beefing up your own security requirements, putting firewalls in place, making sure the data is safe with adequate encryption and so on, you can set it up in such a way so that all of the penetration tests that are performed show no vulnerabilities. Then, when you take that data and give it to a third party, all of a sudden they could get hacked instantly and all that data is sucked out from them rather than yourself. Oldham notes that you then will go into the third party and go through basically all the demands of ISO 27001 and then other requirements as well that you want to put on top of that, including penetration testing, vulnerability scanning, DLP controls and so on just to get a good feeling about the company.
Stay tuned for our the next Innovators in Privacy Tech post and visit our LinkedIn, Twitter and Facebook. For more information, request a demo today and learn why OneTrust was named a leader in the Forrester New Wave™: GDPR and Privacy Management Software, Q4 2018.