Do you know your vendors?

Risk is everywhere. A contractor installing a video screen bills clients from an unsecured coffeehouse Wi-Fi network, and your company info leaks. A janitor cleaning an office accidentally loses a work pass that someone with nefarious aims picks up. A technician updating a firm’s mobile network fails to follow network safety protocols — or worse, is already connected with a hacker network.

Chains are only as strong as their weakest link, and the same goes for business personnel, software, hardware and networks. Companies that vet their employees may still fail to ask questions of third-party vendors. According to Price-Waterhouse Cooper, 74 percent of companies don’t have a comprehensive review of their third-party vendors that handle sensitive data, and 73 percent don’t have processes in place to handle breaches. Things have likely improved since this 2013 report, but the concerns among industry experts remain high.

Additionally, vetting this deeper supply channel is being increasingly asked of CISOs and CIOs, and the board is ultimately responsible should a nightmare scenario occur. Fortunately, boards have the ability to set vendor risk assessments as a priority for an entire company culture. Below are some call-to-actions to consider to keep security breaches at bay:

1. Assess Risks Within Your Own Network Walls
Hackers, faced with tightening network controls, have resorted to stealing credentials from suppliers to back end their way into systems, according to TechNewsWorld. A major breach at Target in 2013 was tied in part to credential theft from a third-party vendor that offered some project management and billing services. A year later, malware struck Home Depot via another third-party vendor.

Insider security breaches have long been a serious threat for businesses, as employees may not fully realise the implications of leaving their emails logged in, reusing a password across accounts, or leaving files exposed on a desk. Third-party vendors and service providers can present the same problem, accessing a network and exposing vulnerabilities.

2. Get to Know Your Vendors Really Well
When working with new vendors, security should be a major component of the decision; it’s simply too risky to assume someone’s secured without conducting a proper verification. Get into the weeds to make sure a vendor has third party security audits, certifications, and protocols that are at least as good as what you have internally.

To ensure that security risk assessments are a major factor of all vendor hiring decisions, make sure to ask, for instance, the janitorial company you’ve hired if they do background checks. The same question can extend to technicians and others. Asking a vendor about security vetting, clearance and security education before they start a job can quickly separate those who offer some confidence in respecting your security needs from those who don’t.

3. Don’t Allow Any Vendor to Slip Through the Cracks
Sure, every organisation should have a clear policy on expectations related to internal security checks, external audits and certifications required of any vendor. But, if security is going to be top of agenda, a clear, complete, and updated list of vendors is needed so that the IT organisation at any company can score each vendor by the potential risk they could pose. It sounds simple enough, but the extra due diligence can be the difference between security and a multi-million-dollar debacle.