Businesses of all sizes regularly use outside contractors for consulting, database management, deliveries, and other services. This often leads to the sharing of private data, like customer contact information, performance metrics, and even credit card accounts in some cases. Is your company vulnerable to possible breaches from third-party vendors? And just as importantly, is it at risk from businesses that your contractors might contract with?
Vendor (and Vendors’ Vendors) Security
About 75 percent of executives surveyed by PwC claim that their companies have “concerning cyber and privacy risks,” and many have blind spots associated with their supply chain and third-party vendors. They seem to realize the importance of cybersecurity but have less understanding about enterprise-wide assessments that cover all the bases.
Contractors who pose risks might not have bad intentions, but they often break rules, cut corners, or are just careless. Even though your network perimeter might be secure and monitored, vendors usually have their own hardware and other tools that get connected into your systems. They do not always follow client policies, could be using expired products, or might not prioritize security. Exactly how can contractors expose their clients to outside threats? Here are a few examples.
- An inexperienced cybersecurity vendor is hired to install new hardware but misconfigures the firewall and leaves a gap that hackers can get into.
- A financial consultant creates unauthorized admin-level accounts that leave the company wide-open to cyber criminals. These kinds of accounts store high levels of vulnerable data.
- A remote worker’s laptop gets infected by a contractor, and this spreads into the company’s entire system.
How Can I Reduce Contractor Security Risks?
The first best practice for addressing third-party security is to verify that they have strong cybersecurity plans and monitoring. Do your due diligence by inquiring about this and verify that they have their own exposure risk protocols, incident detection, and response strategies. They should have regular internal and external penetration testing for their networks and social engineering, including employee awareness tests and simulated phishing emails.
Make sure that every contractor documents that their security testing is carried out. You can also ask how they handle and document remediation of issues they find, as well as how they test for any weaknesses. Vendors need to share all their cybersecurity best practices with you, and this includes appropriate training for their own employees and outside contractors. Be sure that they have confidentiality agreements with all these parties; this is also vital for protecting your data.
Agreements With New Contractors
Your vendors should be willing to work with you to reduce cybersecurity threats, and if they are uncooperative, it is time to search for new ones. You do not want to sign agreements with vendors that will be weak links in your risk management and cybersecurity protocols, so thoroughly review their approach to these critical issues. The contract should include detailed language about data breach notification requirements (including timeframes), as well as all their cybersecurity protocols.
These precautions are absolutely necessary and can reduce the risk of third-party cybersecurity gaps and breaches. Failing to manage this puts your company at risk for an IT nightmare, along with serious financial, reputational, and regulatory consequences.
TAG Solutions is the premiere Albany, NY managed services provider. We can help your organization analyze your internal and external risks with an audit and other proactive IT management services, reducing your exposure to threats that can cripple your operations. Contact us today for a free consultation – we make IT work!