By Jacob Olcott of BitSight
Many of the data breaches suffered by enterprises in 2015 stemmed from vulnerabilities found in third parties. With vendors, suppliers and business partners becoming a common entry point into enterprise networks, IT Vendor Management is becoming an essential component to cybersecurity.
(Photo courtesy of Jacob Olcott)
Organizations will need to prioritize IT Vendor Management and adopt a comprehensive approach in order to mitigate third party security risks. The tips outlined in this article will help to organize IT Vendor Management processes in order to reduce the risk of third party breaches.
1. Know who your vendors are and what they have access to.
Many organizations don’t have a complete list of their vendors. Or, even if they do, they don’t know what kinds of data their vendors have access to and whether their vendors have direct access into their network. These are major issues. You should be taking the cybersecurity posture of your vendor very seriously to avoid any unwanted consequences.
2. Know how vendors are connected to you.
If you recall the highly publicized Target breach of 2014, you’ll remember that Target had contracted out to Fazio HVAC to wirelessly monitor their refrigerated units. Target knew Fazio HVAC had a connection, but they didn’t know the extent — and they certainly didn’t realize someone could get access to their entire corporate network through one HVAC company. It’s perfectly reasonable to provide third parties with access to your network — but you have to be able to limit their access to what they truly need. Frankly, anything else is negligent.
3. Know which vendors have your sensitive data.
This is a combination of knowing who your vendors are and analyzing what constitutes sensitive data. This could be health care records, research and development, credit card numbers or a number of other “crown jewels.” Make sure you understand where your most sensitive data is going and who could potentially get their hands on it.
4. Clearly spell out all security expectations in your vendor contracts.
Incidents occurring on a vendor network that result in the loss of your data is a frustrating process. But there is nothing worse (or more embarrassing) than digging through your contract with the vendor to figure out what your restitution is, only to realize you didn’t spell out your security expectations. If something like this happens, you’ll likely have no recourse whatsoever. So, it’s very important to protect yourself through your vendor contract from the get-go.
5. Don’t give free passes to anyone.
A lot of people assume that since they’ve known someone for a long time or because a company seems trustworthy, that they’re doing a good job. This is a huge mistake. Again, this goes back to “trust, but verify” — don’t make any assumptions about cybersecurity, no matter how strong the vendor’s reputation may be.
6. Assess your vendors for their security.
Simply put, you should never trust everything your vendor is telling you. This isn’t to say your vendors are liars, but often, responses can be based on what your vendor’s believe to be true. Assessments can help point out mistakes and issues that have been previously undiscovered. On-site testing and other vendor risk management best practices can help you verify that your most sensitive data is being vigilantly protected.
7. Ensure that your vendors know to report an incident to you.
Many organizations will notify you of a security breach whether they’ve been contracted to or not, but some may decide to keep that information to themselves in a last-stop effort to keep their relationship with you. No matter what, you can’t assume that your vendor will come forward unless you’ve made this very clear to them.
8. Let your vendors know this is a priority for you.
If you don’t treat cybersecurity as a priority in your own company and with your vendors, other issues will take greater precedence. The point is, you should assume your vendor doesn’t know that cybersecurity is of the utmost importance until you make it clear to them.
9. Don’t assume a small vendor can’t cause a big problem.
The size of the vendor and the price of the contract aren’t all that important in terms of cybersecurity. The important thing is whether your vendors have access to your sensitive data or corporate network. For instance, if I hire a sales data entry service, but give them full network access, I am creating a huge potential risk
You must have a defensible process in place for your vendor management. You should be able to confidently say that you manage third-party risk as best you can and, even though bad things are likely to happen, that you’re doing what you can to cover your bases. If you can do this, you’ll likely find yourself in the headlines for all the right reasons.
Currently VP of Business Development at BitSight Technologies, Jacob Olcott previously managed the cybersecurity consulting practice at Good Harbor Security Risk Management. He also served as legal advisor to the Senate Commerce Committee, and as counsel to the House of Representatives Homeland Security Committee.
The views, opinions and positions expressed within this guest post are those of the authors alone and do not represent those of Small Business Pulse. The accuracy, completeness and validity of any statements made within this article are verified solely by the authors.