Are Your Vendors Putting You At Risk?
We are in a world of cooperative relationships. Vendors are a vital part of our success, and we are increasingly dependent upon each other. These partnerships bring numerous benefits, but they also introduce cybersecurity risks that must be carefully managed.
Two important statistics must be kept in mind when working with vendors:
Nearly half of successful cyberattacks result from external relationships.
The vast majority of small and medium-sized businesses are not financially prepared to recover from a cyber-attack.
How many vendors does your company have and what types of data do you share? According to research surveys, nearly all companies have at least 1 third-party vendor who has been breached in the past couple of years. More than half of large organizations have 200+ relationships (through fourth-party vendors) who have also suffered recent breaches.
One impacted vendor can translate into multiple impacted companies. A breach like this could not only impact your operations from a cybersecurity perspective, but also from the damaged performance or loss of a key vendor.
It’s important to remember that your vendors may not have the same level of security measures and protocols as your organization. Just because your company may have an A security rating, you cannot assume you are safe from cyber-attack or from the consequences of an attack on one of your vendors. If you don’t know the security posture of your vendors, is your company secure? If your vendor security is a blind spot, you may be exposed to conditions that can cause severe consequences such as financial loss, reputation damage, and regulatory non-compliance.
Understanding the security practices and controls of these interconnected entities should become part of your security practices to ensure the entire chain is adequately protected. This is especially important as more organizations allow remote work, which opens us all up to increasing vulnerabilities. You and your vendors should share a motivation to leave no attack surface exposed and no gap unnoticed as you work together, for the sake of each other and your customers, to secure your entire interconnected web presence.
A Cautionary Tale
In 2017, Maersk, the largest maritime shipping company in the world, was hit with ransomware. The cause of the attack was identified as malware that compromised the accounting software of one of their suppliers, which spread and infected Maersk. It cost the company $300 million and forced worldwide operations to shut down for two weeks. This and other cybersecurity incidents serve as reminders of the ever-present threats organizations face in the digital age. They underscore the importance of robust security measures, timely software updates, regular vulnerability assessments, and ongoing user education to prevent and mitigate such devastating incidents.
What Can You Do?
Make an Inventory
Start by creating an inventory of all your vendors and identifying the types of data they each have access to. Make sure that any communication between organizations is secure. Limit the scope of the data accessible by each vendor based upon the services they provide.
Take Responsibility
Never outsource responsibility. Make it your business to understand your vendor’s (and if possible, their vendor’s) security controls. For example: What if your accounting firm’s network is hacked? The financial data of your business and your customers may end up in the wrong hands — putting your business and your customers at risk. You want to understand that risk up front.
Perform and review due diligence documentation on a regular basis and use tools like security questionnaires to assess risk. Make sure these questionnaires ask your vendors questions like, “Do you and your vendors conduct regular security training with all employees?”, “How often do you back up your systems?”, “What are your contingency plans to minimize the impact on your operations?”, etc. Request their security incident response plan, including the steps they will take to manage and communicate incidents with your organization in the event of a breach.
Put It In Writing
Clearly define cybersecurity requirements in your vendor contracts and include provisions related to data protection, incident response protocols, and notification requirements in the event of a cyber-attack. Make sure you consider that threats change and your processes for detecting and dealing with them should remain up to date. Make sure all parties understand they have to maintain shared ongoing vigilance. Make the security provisions that are critical to your company non-negotiable.
Verify Compliance
Establish processes so that you can confirm your vendors follow the agreed upon rules. Don’t just take their word for it. Make it a continuous process. The more frequently you verify the security of every exposed system in your interconnected web presence, the shorter your period of risk exposure. Continue to monitor your vendors’ cyber health throughout the life of the relationship.
Conclusion
As companies increasingly rely on vendors for key services, it is essential to recognize the cybersecurity risks associated with sharing data.
Keep in mind that your business selected vendors based on the outstanding goods and/or services they provide. Their cybersecurity rating may not have been involved in that process. However, since cybersecurity risks have grown astronomically over recent years, it needs to become part of your conversation with these vendors. Your business may need to take the lead in this effort. This will benefit all of the organizations involved.
✅ Be proactive and take a selfish and altruistic approach to your cyber strategy.
✅ Understand that your vendor’s ability to remain secure is equally as important as your own.
✅ Continuously monitor the cyber hygiene of your entire digital supply chain.
✅ Ensure the underpinning processes are in place to work together to address issues when they are uncovered.
Sustaining this kind of discipline and commitment will help reduce everyone’s overall cyber risk!
Comments