Vendors could be the weakest link in many cyber defense strategies
The growing frequency and intensity of cyberattacks, combined with new data privacy and security regulations, has made cybersecurity a top priority for most organizations. But while there is plenty of attention paid to a firm’s own data, many forget that their partners and suppliers hold a wealth of information on them.
Information Management recently spoke with Jessica Ortega, a web security research analyst at SiteLock, about the risks that may be posed by a firm’s vendor partners.
Information Management: What level of responsibility do organizations have to ensure the cyber hygiene of their supply chain partners?
Jessica Ortega: While organizations are not directly responsible for the cybersecurity measures taken by the vendors in their supply chain, they are directly responsible for evaluating the security associated with their supply chain transactions. Prior to trusting any third-party with their data, organizations should perform the necessary due diligence to help safeguard themselves, as well as their customers, from potential threats.
Proper due diligence includes inquiring about that vendor’s cyber hygiene and security practices, as well as ensuring any applicable compliance requirements are met. This is important because, should a data breach occur, customers will not hesitate to hold the organization accountable.
IM: In what ways could vendors potentially put the data of a client organization at risk, or endanger the client’s compliance status?
Ortega: Shared customer data such as names, email addresses, phone numbers or credit card information could be at risk if a vendor in the supply chain fails to store that information securely. Should the vendor suffer a data breach exposing that information, the original company that provided that data may be held accountable for the exposed information. This could result in fines or lawsuits on the organization from consumers whose data was leaked to cybercriminals.
Additionally, businesses operating in the European Union could lose their compliance status under new GDPR laws, resulting in fines or loss of accreditation.
IM: What questions should an organization ask a potential vendor to evaluate that company's cybersecurity practices and cyber hygiene?
Ortega: While some vendors may want to hide the specifics of their cybersecurity processes to avoid potential exposure of these strategies to cybercriminals, there are a few questions that should begin every vendor conversation.
- How do you store sensitive consumer or partner data?
- How often does your security team run security fire drills?
- How often does your IT team run security updates on your systems? Do these updates include firmware as well as software?
These questions may lead to additional inquiries, such as whether or not a vendor sells or shares sensitive data with other vendors. If they do, organizations will need to individually evaluate each of those parties as well.
If a vendor is unwilling or unable to answer these questions, it should be a cause for concern. While it is understandable that some specifics must remain internal to ensure security, any business storing or sharing your customers’ data should be able to demonstrate a clear plan to address data security and breaches.
IM: Once an organization has started to work with a vendor, what can be done to ensure the security of that vendor's data?
Ortega: I recommend a quarterly or semi-annual check-in with vendors to inquire about any recent security updates. This can include changes to how data is being stored, penetration testing done in-house, or changes to vendors that an organization works with. Checking in periodically will ensure that your team can re-evaluate and plan for any changes necessary within the supply chain.
If feasible, consider creating individual drills and response plans with each vendor your business shares data with. Practicing and reviewing these plans each quarter or twice a year will ensure that both teams are prepared for anything.
IM: Have any of your clients learned about vendor cybersecurity the hard way? Can you provide some lessons that our readers can take away from those mistakes?
Ortega: As a security firm, we can’t discuss client experiences specifically. However, there are still key takeaways to be considered from companies who have experienced publicized breaches in their supply chain. Namely, that consumers will hold the company they gave their data to accountable for a breach regardless of where in the chain the breach occurred. Therefore, companies collecting information from customers must be responsible for evaluating and holding their vendors accountable for proper cyber hygiene practices.
It may seem invasive, but it is important that vendors and organizations work together to protect consumer data.