Like a chain, cybersecurity protection is only as strong as its weakest link. However, finding said link isn't as easy, since it could be anything from a misconfigured router you've long since forgotten about, to something one of your vendors is (or isn't) doing.
The problem with vendor security
Let's go back to 2013 for a moment to see how a single problematic vendor relationship can break the security chain and precipitate a major incident. The Target data breach that year was a watershed moment in cybersecurity history, because of its scope – it affected more than 100 million records– as well as how it happened, with a set of stolen vendor credentials.
One of the retailer's HVAC vendors had suffered a malware infection via email, but did not discover it until it was too late; the company had only been running a free anti-malware scanner without real-time protection. After breaking through, the cyberattackers had access to a Target portal they then used to spread their own malware to point-of-sale systems in stores.
The entire incident was a vivid lesson in how one company can pay the price for another's missteps. "But I did everything right!" you might say, yet sometimes the practices that have successfully protected your internal systems aren't enough to keep vendor-specific threats at bay. In these cases, a multi-front approach is needed.
How to limit your exposure to vendor cybersecurity issues
The best place to start is to perform due diligence on your own cybersecurity solutions and processes, just to make sure all i's are dotted and t's crossed. That means checking for the presence of:
- Multi-factor authentication.
- Access controls.
- Data encryption.
- Anti-phishing training.
- Patch management.
Once you've performed this basic review, it's time to get the word out. Cybersecurity isn't always an easy sell to the C-suite, despite its central role in ensuring the long-term viability of your organization. Tight budgets might not leave much room for the necessary technological investments or for choosing top-tier vendors that follow industry best practices.
All the same, it's worth pitching leadership on the importance of vendor selection to cybersecurity strategy, even if you are an SMB. The 2017 Verizon Data Breach Investigations Report found that SMBs accounted for more than 60 percent of breaches that year, underscoring the stakes for vetting your vendors and checking every last security-related box.
When you bring any new vendor on board, it's crucial to continuously monitor and assess their practices, even if you are predisposed to trusting them. A least privileged security model can pay off here by limiting what vendors have access to. For example, if a vendor doesn't need a connection to your customer data, don't give it to them. Only share what is absolutely essential to making the business relationship work.
Finally, it might be advisable to get a service-level agreement (SLA) set up. An SLA is usually a legally binding document requiring the signatories to agree on a shared set of policies. For cybersecurity purposes, it might require them to follow guidelines recommended by the National Institute of Standards and Technology or SANS.
Don't go it alone in shoring up cybersecurity
These steps form a good blueprint for closing vendor-related vulnerabilities, but they might be difficult to follow for many organizations that lack sufficient personnel to tackle all the required due diligence and solution implementation. This is where Paramount steps in.
We'll collaborate with you on a custom IT staffing strategy so that you get the personnel you need to strengthen your defenses. Learn more by contacting us today.