Business people and IT/security folks should be increasingly concerned with employees sharing sensitive internal information with vendors.
Even if you have an NDA in place, the risk of damage to your reputation from a breach through a vendor can't be understated.
We found a great slideshow featuring 10 Best Practices for Sharing Sensitive Information with Vendors slideshow plus a link to this interesting report by Deloitte showing, to nobody's surprise, that there is more and more outsourcing going on in the large enterprise, and so more and more data protection is needed in this area.
With respect to point #9 - "Consider putting controls in place to help guard ... your data", put the emphasis on guard.
Vendors are an important part of the supporting ecosystem for any large enterprise. Sharing information is required to make it work, and very often sensitive information is exactly what the vendor deals with for you. That's the value they provide.
The key is to take a policy-driven approach, and avoid heavyweight on-boarding processes that drive the users to work arounds.
Integration with leading vendor databases is also a huge potential win; if you can automatically know that a particular vendor is approved to receive a particular class of data - that's one thing.
If you know you can revoke their access to it anytime - that's another. If you'd like to see how you can do that without rolling out software... contact us.
