By: Steven Cardinal

For those who keep abreast of the news, it seems like cyber attacks and data breaches are a daily occurrence. From the compromise of Okta customer data via their third party support provider to the breach of over 500,000 individuals’ Protected Health Information through Eye Care Leaders, we see organizations having their sensitive data exposed despite entrusting that data to third party vendors and their solutions. This leaves them and their customers vulnerable to legal and reputational harm.

While it isn’t possible to “go it alone” in a complex business environment that is highly dependent on technology, there are measures organizations should take to reduce their risk.


When considering a system or service that will store, transmit, or process sensitive data, it is incumbent upon the organization to perform their due diligence. While contract language may govern legal responsibility, it can do little to protect the organization from reputational harm, and even less for the actual protection of your sensitive data.

Whether you leverage your own technology and security personnel or rely on an external security advisor, asking a prospective vendor to detail their own security practices and assessing the responses is a sound first step. While there may be a gap between what the vendor says they do and what they actually do, such an assessment may identify areas of risk that your organization can use to determine if this is the right solution for them.

Additionally, the security capabilities within the product or service should be evaluated to determine if the solution can meet your security needs. Such an assessment can also indicate the effort necessary to maintain the system and protect it from compromise. The purchase price of technology is typically only a small fraction of its Total Cost of Ownership (TCO). Understanding the true cost of a secure solution is critical to sound decision making.


Running an organization comes with risk, and relying on vendors and other third parties for technology solutions is an unavoidable hazard. At Soteria, we know that risk can be managed and reduced through proper due diligence, both at the time of selecting a vendor and throughout the lifetime of the contract. We regularly assist customers in assessing a vendor’s security program and their product’s security capabilities to protect sensitive data and, with it, the reputation of your organization.