Don’t Get Spooked by Your Vendor’s Cybersecurity

It’s Halloween, and tiny goblins will be out for trick or treat on Saturday night. In this week’s blog, I thought I’d give you a few tips so you won’t be tricked by your vendor’s cybersecurity.

If you outsource any of your services or business functions, your vendor’s security becomes your security. Outsourced service providers include payroll processing companies, vendors pulling data to perform analytics, or anyone else who has access to your organization’s networks, applications or data. You might have the systems under your direct control locked down, but you may still be vulnerable to weaknesses in your business associate’s security.

What you’re putting at risk is your business data, including business plans, research and intellectual property, your customers’ data, your employees’ data, emails, medical records, banking information, as well as financial information. A flaw in your vendor’s security can mean disaster for your business if a hacker finds that weakness.

So here are a few questions you should ask your third-party vendors before you sign a contract:

1. Will you provide a SOC 2 Type 2 report outlining the results of the testing of your security measures?
   You want to find out how they secure their applications, data and infrastructure against attack and this report will give you details about their procedures. If they can’t provide reports, ask for the right to audit their internal control environment and network security procedures. You can also request that they conduct IT security assessments and provide the results to you. The bottom line is that you must ensure that your partners are working to keep your data secure.
2. How do you train your staff members about cybersecurity?
   You want to know how often they train existing staff members and when they train new hires. The vendor should be able to tell you what’s included in initial training and follow-ups. Particularly important are their rules for providing sensitive information outside of the organization, storing sensitive data on mobile devices, their policies for allowing the use of an employee’s own devices, and what level of remote access employees are allowed. Social engineering is the primary method for hackers to gain access to a company’s network, so be sure your vendor’s training covers procedures to prevent social engineering.
3. How do you handle employees who leave the company?Former employees pose a significant risk to business security. As the use of cloud computing continues to increase, employees do not need to be on-site to gain access to sensitive data. Additionally, many disgruntled employees have installed remote access tools on their computers to access from home. Often, terminated employees continue to access the corporate network via the remote access tools that they installed before leaving. Ensure that your vendors restrict the installation of remote access tools, immediately deactivate terminated employee usernames and passwords, wipe mobile devices to remove all company information, and collect entry cards, keys and other company assets.
4. What are your rules for updating your systems?Unpatched client software is a top cybersecurity threat facing businesses. Targeted email attacks, often called spear phishing, are exploiting client-side vulnerabilities in commonly used programs such as Adobe Reader, QuickTime, Adobe Flash and Microsoft Office. Most software developers send updates and patches for known flaws and weaknesses in their software. You should ascertain what your vendor’s policy is concerning updates to their client-side applications and servers. The best answer is, “We update when the patch becomes available.” You shouldn’t trust your data to applications that have known vulnerabilities.

Taking a few precautions before you sign a contract with an outside vendor and asking a few questions of your current vendors can help keep your organization’s data secure. If you find any skeletons in the closet, you can clean them out before they become a nightmare. Have more treats than tricks this Halloween!

For weekly insights into enterprise complexity, please sign up here: