“It is abundantly clear that, in many respects,” Mr. Lawsky (New York State’s top financial regulator) said in the letter, “a firm’s level of cybersecurity is only as good as the security of its vendors.” NYTimes.com: After JPMorgan Cyberattack, a Push to Fortify Wall Street Banks 10/21/14
Can you think of a company that doesn’t outsource some part of their business to a third party vendors?
Businesses of all size use subcontractors, lawyers, accounting firms, banks, software-as-a-service (SaaS) providers for their salesforce CRM and employee timekeeping, cloud providers for hosting solutions and maybe even off-shore organizations for software development.
- Do these vendors have data that is important and proprietary to your company?
- Do these vendors have access to important systems or even directly to your network?
- Do you require these vendors to sign up for the same cyber security policies that your own company employee sign? (acceptable use policies, cyber security training policies, destruction of data, encryption policies, remote access policies etc..)
- Do you require these vendors to have the same level of 1st and 3rd party cyber security liability insurance that you carry?
- How do you know your data is safe while it’s in their care? Would you know if someone stole your data from the vendor? Would the vendor tell you? Would the vendor even know?
- Do subcontractors and other vendors that connect to your network adhere to the same security policies for their desktops/laptops/phones that your own IT groups mandate?
- Do your vendors outsource any of your work to downstream providers? How secure are they?
- Do you require these vendors to have the same company protections in place (managed firewalls, anti-virus, content filtering, continuous monitoring etc..)
If the answer to many of these questions is “no” or “I don’t know” then you should take action. Action starts with looking at the contracts you provide your vendors/sub-contractors and ensuring the clauses require them to adhere to the same security you expect from your own company and that they are open to an audit.
You don’t want to end up like Target inc.:
The breach at Target Corp. that exposed credit card and PII data on more than 70MM consumers began with a malware-laced phishing attack sent to a third party vendor” KrebsOnSecurity
NetWatcher provides a low cost powerful managed security service for as low as $299 a month that you and your suppliers can use to ensure you have a handle on the security of your supply chain.