Guide to Complying with Looming Procurement Requirements for Privacy Risk
Getting Ahead of the Next Critical Privacy Risk Requirement for Winning Lucrative Business Contracts
Competition has always been stiff to win lucrative contracts. Especially with large corporate entities, businesses, private organizations, and government agencies. The procurement processes employed by corporate prospects are applied to all external vendors seeking to win the business. Whether a vendor sells software, services, materials, or anything else, the procurement process typically involves a rigorous RFi/p/q or “request for information/price/quote”. With cyber crime on the rise, procurement offices are increasingly requiring prospective vendors to prove their privacy risk compliance bona fides.
Organizations are realizing information security practices must include external data privacy protections. Recent trends reveal an explosion of cyber crime employing data stored outside of protected, secure internal networks. Instead, Personally Identifiable Information (PII) of employees and vendor employees is acquired by criminals and leveraged to power Social Engineering attacks. Using easily accessible, publicly available PII, hackers are able to spoof their way into sensitive networks. There they extort ransoms, steal customer identities and perpetrate other damaging criminal activities.
As a result, organizations of all sizes and their respective procurement practices have grown far more attuned to the pressing need for robust privacy risk management. The most forward-thinking organizations have already adopted tough requirements for privacy risk management and are including these requirements in their procurement processes.
Anyone who has been tasked with responding to the RFi/p/q can confirm, these requests commonly require the vendor to answer dozens, hundreds and even (for the largest opportunities), thousands of questions. These questions, often catalogued in multi-tabbed spreadsheets, are arranged by category. Common categories often include such obvious concerns as features/functions, properties and capabilities of the product or service being sourced. Other sections are dedicated to examining vendor financials, describing technical requirements and technology architecture, detailing product training and support, and of course defining IT and information security.
For years, the information security segment of a typical RFP would contain questions about such concerns as password protocols, data encryption, database security, internal network and external cloud network security. Many procurement departments even require a vendor to provide third party IT security certifications such as the SOC Type II audit. Failure to produce a completed SOC audit was often enough to disqualify a vendor candidate from earning the contract. The SOC audit provides detailed information and assurance about a service organization’s security, availability, processing integrity, confidentiality and privacy controls.
Today, there is a growing urgency to combat the rising tide of social engineering attacks that have been plaguing organizations of all sizes. Businesses are getting compromised daily from highly personalized Spear Phishing and other Social Engineering, fueled by exposed PII. As awareness grows of the methodologies used by cyber criminals, procurement offices have begun including new questions in the RFPs they produce. These new questions focus on probing a candidate’s capabilities with regard to mitigating external privacy risks.
Understanding that the majority of data breaches originate via a compromised vendor, procurement organizations have begun to ask all prospective vendors about their practices and policies governing external data privacy. For precisely this reason, organizations are adopting powerful new tools for Vendor Risk Management, which support ongoing audits of all their existing vendors (as well as new ones being evaluated) for external privacy risk. Further, many procurement departments are disqualifying any vendors who fail to meet with new, tougher External Data Privacy standards. Requiring regular monitoring of the risks associated with each vendor is one more way procurement is helping defend the safety of the organization.
At the same time private sector procurement offices are ramping up compliance requirements for privacy risk management, government at the local, state and federal levels is also enacting legislation to establish and enforce privacy risk compliance across all vendors seeking government contracts. As these laws and regulations are enacted, companies seeking to earn government contracts will be required to meet established privacy risk scores. These types of regulations are set to go into effect in the procurement department of many cities this year.
As such, whenever an organization seeks to do business with another who uses Vendor Risk Management, they’ll need help complying or they risk not winning the contract! As municipalities, counties and states continue to adopt new requirements for privacy and vendor risk management as a prerequisite for awarding contracts to vendors, the vendors will need to be able to prove their compliance if they want to earn the contract.
How does it work and what does it look like in real time for a company to enforce new privacy risk management requirements? Once a company commits to enforcing privacy requirements, they begin by compelling their vendors to invest in External Data Privacy as a prerequisite to doing business. In this way a company can protect itself from breaches without incurring any direct costs. The Vendor Risk Management solution from Privacy Bee for Business is designed to help organizations enact and enforce compliance with strict privacy guidelines and data hygiene practices. Best of all, by including these requirements of all vendors beginning in the RFi/p/q process, an organization can successfully achieve External Data Security at zero cost!
Everything an organization needs to clean up their privacy (and employee risk) is offered by Privacy Bee for free! This includes extensive, step-by-step guides for handling any detected exposures. With these easy-to-follow processes, any organization can take the proactive steps needed to reduce the volume of employee PII on the internet and the risk said data will be used by criminals. Getting started is as easy as 1,2,3!
Step One – Claim your free business account and log into the Privacy Bee platform.
Step Two – Go to the Employees page and add the names of all members of your workforce and the Privacy Bee solution will immediately begin scanning for vulnerabilities. There’s even a bulk upload feature for larger organizations where the workforce may be too expansive to set up one-by-one.
Step Three – Within about twenty-four hours the Privacy Bee system automatically scans all the uploaded employees across hundreds of known Data Brokers and People Search Sites, finding any public privacy exposures on them. After the scan is complete, visit the Business Exposures page in Privacy Bee to review a breakdown of every single exposure the solution finds on your employees. Then follow the clear, step-by-step instructions on how to remedy each of them.
In addition, the Privacy Bee platform generates your organization’s Privacy Risk Score – an aggregation of all the metrics captured by the Vendor Risk Management solution. Those organizations achieving a risk score of 40% or less are classified as “Low Risk” and are considered to be in compliance with virtually all local and state laws, as well as the default settings of all procurement departments that use our Vendor Risk Management platform. An organization may elect to set and enforce their own compliance thresholds, but the 40% number is generally accepted as sufficient. And, if there are ever any questions or support needed to get your organization’s Privacy Risk Score into compliance, you can reach out to Privacy Bee support anytime for help!
