Risk is everywhere. A contractor installing a video client from an unsecured coffeehouse Wi-Fi network, and your company info leaks. A technician updating a firm’s mobile network fails to follow network security protocols – or worse, is already connected to a hacker network.
Chains are only as strong as their weakest link, and the same goes for business personnel, software, hardware and networks. Companies that vet their employees may still fail to ask questions of third-party vendors. According to Price-Waterhouse Cooper , 74 percent of companies do not have a comprehensive review of their third-party vendors that handle sensitive data, and 73 percent do not have procedures in place to handle breaches. Things have probably improved since this year.
Additionally, the CISOs and CIOs, and the Board is. Fortunately, boards have the ability to set up vendor risk assessments as a priority for an entire company culture. Below are some call-to-actions to consider.
1. Risks Risks Within Your Own Network Walls
Hackers, faced with tightening network controls, have resorted to stealing credentials from suppliers to their way into systems, according to TechNewsWorld . A major breach at Target in 2013 which is tied to part to credential theft from a third-party vendor that offers some project management and billing services. A year later, malware struck Home Depot via another third-party vendor .
Insider security breaches have a serious threat to their employees, as employees may not fully realize the implications of their emails logged in, reusing a password across accounts, or leaving files exposed on a desk. Third-party vendors and service providers can present the same problem, accessing a network and exposing vulnerabilities.
2. Get to Know Your Vendors Really Well
When working with new vendors, security should be a major component of the decision; it’s simply too risky to take it. The third party security audits, certifications, and notifications are at least as good as what you have internally.
To ensure that all risk assessments are done, they make sure they ask, for instance, the janitorial company you’ve hired. The same question can extend to technicians and others. Asking a vendor about security vetting, clearance and security education before they start a job can be done quickly.
3. Do not Allow Any Vendor to Slip Through the Cracks
Sure, every organization should have its own security checks, external audits and certifications required of any vendor. But the IT organization at any company can score each and every one of them. It sounds simple enough, but the extra due diligence can be the difference between security and a multi-million dollar debacle.