“It is abundantly clear that, in many respects,” Mr. Lawsky (New York State’s top financial regulator) said in the letter, “a firm’s level of cybersecurity is only as good as the security of its vendors.” NYTimes.com: After JPMorgan Cyberattack, a Push to Fortify Wall Street Banks 10/21/14
Can you think of a company that doesn’t outsource some part of their business to a third party vendors?
Businesses of all size use subcontractors, lawyers, accounting firms, banks, software-as-a-service (SaaS) providers for their salesforce CRM and employee timekeeping, cloud providers for hosting solutions and maybe even off-shore organizations for software development.
If the answer to many of these questions is “no” or “I don’t know” then you should take action. Action starts with looking at the contracts you provide your vendors/sub-contractors and ensuring the clauses require them to adhere to the same security you expect from your own company and that they are open to an audit.
You don’t want to end up like Target inc.:
The breach at Target Corp. that exposed credit card and PII data on more than 70MM consumers began with a malware-laced phishing attack sent to a third party vendor” KrebsOnSecurity
NetWatcher provides a low cost powerful managed security service for as low as $299 a month that you and your suppliers can use to ensure you have a handle on the security of your supply chain.