Consider the following scenario: Budget was your top priority during your search for a payroll provider. When a local company gave you a quote within your range, you signed on the dotted line, no further questions asked. 6 months later, your systems are seized with malware. You call your IT partner who is able to trace the source of the breach back to the local payroll provider. The company only had a basic firewall in place. Cybercriminals breezed past this basic security measure, gaining data held by the payroll company and access to each business that used the service.
Extreme? Maybe a little, but there’s truth in the underlying principle: you need to vet third-party vendors before working with them. The guy who converted his garage into an IT office may have been your best option based on budget constraints – but you need to be aware of risks ahead of time. Take the 3 steps below to protect yourself against threats posed by external partners.
1. Conduct an IT Vendor Assessment Before Partnering with a Third-Party
When you perform a vendor assessment, you aren’t trying to answer if the company is “good” or “bad.” Instead, the goal is to determine the risks you’ll be exposed to if you work with the provider. Use a formal, structured process to uncover as much information as possible – even about us! You never want to take security for granted, and a thorough investigation is a necessary step before you work with any external partner.
How an IT provider can help with assessments
Once you have a trusted advisor on board, use them to evaluate your other vendors, like the company you use for accounting software or your VoIP provider. You may not know which questions to ask during the sales process. Again, you’re trying to determine the level of risk associated with the vendor. It isn’t enough to ask, “Do you use encryption?” Since this is a common best practice, your vendor will likely say “yes” and leave it at that. But there are important follow-up questions.
If we were in the room with you and the vendor, our next question about encryption would be: Do you use encryption in transit or at rest? (We won’t go into the details, but they offer different types of protection for your data and you probably want both.) Working with an IT expert as you evaluate vendors leads to more rigorous questioning and can uncover risks you aren’t willing to stomach.
2. Establish the Right IT Permissions for Vendors
Forget what vendors have told you in the past. Most do not need admin access to your network or systems. The reason so many vendors say it’s necessary is because it makes their job easier. Yes, lower levels of access cause a little extra work for the vendor. But, it limits your risk exposure. We’ve said it before; if Target had given their HVAC contractor a lower level of access, they wouldn’t have been breached.
2 questions to ask vendors with admin access
Not all vendors will have proper security protocols in place. When there is a legitimate reason to grant admin-level access, stop to ask these questions to keep your business protected.
- Where will you store the login credentials?
- How long do you need access?
Ideally, your vendor will tell you they have a secure password management tool and they only need access for a limited amount of time. If they say they use an Excel sheet stored on their server back at the office or need indefinite access, pause and consider the risks. Your credentials could easily be stolen if the vendor is hacked and, if they have permanent access, your system is continually open to an organization you have no control over.
3. Regularly Review Vendors and Permissions
In addition to evaluating vendors before you start working with them, conduct annual reviews. This is typically a requirement for regulated industries and can be built into cyber insurance policies too. If you’re breached and your insurer can prove you haven’t been doing your due diligence on third parties, your carrier can deny your claim.
On an annual basis, you want to look at permissions. We’ve compiled reports for organizations showing who has access to their systems, only to find out they don’t even work with some of the vendors on the list and haven’t for years. You don’t want to let 5 years pass before you realize it’s time to remove a vendor’s access.
Managing Third-Party IT Risks is a Continual Process
Don’t let your business be exposed to risks because an external vendor failed to follow security protocols. We work with our clients to thoroughly assess proposed vendors, evaluate risks, establish permissions and conduct regular vendor reviews. Contact us today to see how we can help you.