The golden rule for every business man [or woman] is this: “Put yourself in your customer's place.”

—Orison Swett Marden, American author

Despite Marden's advice, it does not seem to be often that this occurs. This chapter, on the risks associated with engaging third-party vendors, is titled “Managing the Big Risk.” The reason it is called the Big Risk is that it is a big risk, perhaps the biggest. Third parties introduce a variety of risks into virtually every environment. Small and large companies alike use multiple third-party vendors. Some companies use literally thousands of third-party vendors to assist in a wide range of operations. While some third parties simply engage with companies to come in on a periodic basis to tend to the office plants or to exchange empty drinking water containers for full ones, others perform a wide array of information-related services that involve highly sensitive information.

Some third-party vendors are the proverbial back door, a door with perhaps less security, less reinforcement, fewer locks, a lower level of awareness, and less due diligence applied. This adds up to more risk. In an environment where security is strong, attackers would likely move to an alternative strategy. Sometimes this means that they attack through a third-party vendor.

Expect that the relationship between companies and third-party vendors is going to be on the fast track to change. Already the federal government ...