Cyber-attacks are increasing across every industry. Given the COVID lockdowns and the sudden, widespread shift to work from home, it is hardly a surprise that hackers are taking advantage of the situation. Over the past several months, we have discussed the steps and tools a company can use to develop a best-practices approach to information security. Check out our blog posts, such as “Cybersecurity Risks, Liabilities, and the ROI on Information Security Compliance Software,” and webinars, such as “Protecting Information in the BYOD(esk) Environment: 3 InfoSec Lessons Learned.”
Yet, one area of your business deserves special attention: Your vendors.
Businesses are more reliant on third-party vendors today, and that reliance is increasing. As I stated in a recent webinar discussing internal vulnerability to hackers: Studies note that an organization’s exposure is often within “the family,” so to speak. And when we talk about being part of the family, one of the critical factors related to data breaches is the vulnerability that presents itself in the vendor community.
Assess Vendor Security Posture
Managing information security throughout the vendor community involves two distinct activities. The first is confirming, on a regular basis, that your vendors meet an acceptable level of information security. This action applies to your vendors whether or not they hold sensitive information. A compromised vendor that sends a Trojan horse email to you under their name is as much a concern as a vulnerable vendor who holds your data.
The simplest way to get comfortable with your vendors’ security posture is through a periodic review. The review can range from conducting onsite audits (most companies do not have the resources to do this) to requiring vendor questionnaires and self-assessments (which are the most common). There are a few useful things to know when maximizing the effectiveness of vendor self-assessments.
- The assessment should be structured in a manner that reflects YOUR security posture. This is not the time for a canned assessment found on some website.
- Ask for documentation in every reasonable area. Trust, but verify.
- Follow up on any incomplete, inadequate, or questionable answer. If a security incident occurs and you get into a legal battle, the assessment is evidence.
A high-quality vendor assessment should cover a myriad of areas from strategy to program to personnel – and everything in between. These five areas are a great place to start:
Information Security Management Systems: Think about items like security certifications, policies across a variety of areas, the makeup of the team that drives security planning and recommendations, and the level of program investment.
Compliance and Accountability: Consider items such as security program assessment, risk levels, status, and mitigation planning, ability to track performance metrics, and security compliance strategies and challenges.
Service Levels and Disaster Recovery: When it comes to on-premise data storage or a data center, redundancy, availability, and uptime are always factors that should be considered. Pay close attention to plans for disaster recovery and business continuity, as well as the planning for and testing of those plans.
Talent & Resources: Find out who is responsible for information security and where are they positioned in the organization. Discuss the methods for vetting employees and vendors, developing security awareness across the organization, as well as managing risks associated with organizational change.
Controls: Determine access rights to various systems and platforms. Investigate their access strategy. Discuss data storage locations and limitations, especially in a shared environment.
How can you get started developing a customized vendor security questionnaire for your organization? What questions should you ask? Download our worksheet today.
Improve Vendor Security Management Among Your Team
The second facet of managing vendor security is internal training. To help prevent a successful phishing attack, for example, your internal team should be familiar with your vendor community and the processes required to interact with vendors. This training level is particularly important in a distributed, work-from-home environment when direct communication, such as walking over to a nearby office to ask a question, is challenging.
In our webinar on Information Security in the K-12 education space, we noted that awareness training should be a higher priority in high-turnover work environments due to the lack of familiarity with the organization processes, vendors, and conventions. A school environment with parents and other volunteers who may come into contact with personally identifiable information (PII), such as student or staff data, is an excellent example. This scenario applies to other areas, such as seasonal industries, where the workforce is more fluid.
We suggest that “getting started” infosec training consist of:
- Process training revolving around The Three Ws: Who can do What and When they can do it.
- “See something, say something.” You would rather have your employees err on the side of caution than to have to report a breach.
- Different timing for different audiences. Cyber training is not one size fits all – more effort directed at your most at-risk populations is worth it.
According to BeyondTrust Vendor Vulnerability Index, 69% of IT professionals say their organization has definitely or possibly suffered a security breach resulting from vendor access in the last year.
Because vendor relationships, and the natural exchange of data between you and your vendors, provide cybercriminals with more opportunities ripe for attack, specialized training is warranted for some roles. Vendor information security training for internal teams should answer numerous questions that are personalized to your business, including:
- What are the risks of sharing data with third parties such as vendors and consultants?
- What does our vendor ecosystem look like? Who has access to data and where does it go?
- What internal policies govern the organization’s information management related to vendors?
- What types of data can be transmitted, stored, and processed by vendors? Where will that data be stored?
- Are there any contractual, regulatory, or legal requirements related to information management to be considered when working with a particular vendor? Who owns the risk?
- What processes or special tools are required to exchange data with a vendor?
- How should your organizations’ contracts be drafted to protect your data and liability?
Vendors are critical to your business and should be treated as a member of the “family.” But, they can be a source of cyber insecurity if not managed properly.
Orrios’s OnTrack platform helps users manage vendors, assessments, associated risks, treatment for those risks, and continuous improvement of the vendor security postures.
Reach out to Steve Henn for our guide on using OnTrack® to efficiently and cost-effectively manage your vendor ecosystem.