Cybersecurity Commandment #10: Keep An Eye On Your Vendors

As legal expert Christopher Wallace warned, people with whom you have gained a sense of familiarity and trust often act detrimentally to your financial well being. This advice holds especially true in the cybersecurity world, wherein Jones Day, Kroger, MultiCare, and others have seen their vendors compromise their data. Microsoft, SolarWinds, and file-transfer service Accellion have recently gained notoriety as vendors responsible for recent breaches and hacks involving companies and federal agencies around the world. Indeed, hackers often attack a well-defended target through its vendor, on the often-correct suspicion that a smaller vendor can offer access to the target’s information without the target’s security.

For this reason, Cybersecurity Commandment #10 proclaims, “Keep an eye on your vendors.” This involves five discrete actions:

1. Learn your vendor’s data security protocols before entrusting it with your data. A chain is only as strong as its weakest link, and your data is only as secure as the least secure vendor with access to that data. With that in mind, become familiar with your vendors’ data security protocols. What data security do they have in place? How often do they backup their information, and how do they do so? What are their protocols in the event of a ransomware attack? Ensure that your vendors employ data security measures commensurate with the data with which you are entrusting them.

2. Limit your vendor’s access to your data. Few people would give a contractor their house key and leave them unattended for years, but many companies give their vendors this kind of access to their data. Your kitchen contractor should not need access to your bedroom, and your cloud storage vendor does not necessarily need access to your employees’ personal health information. For example, many government contractors follow NIST 800-171, which prescribes limiting system access to authorized users and restricting the types of transactions and functions that authorized users can execute. Other businesses would do well to delineate their vendors’ access along these lines.

3. No vendor is too small. As mentioned above, hackers often attack secure targets through less secure vendors, which are more likely to be smaller companies that may not have the time or inclination to install elaborate data security measures. Small business tend to have less security than large corporations, so it stands to reason that a small vendor might prove an attractive entry point to a larger business. Additionally, foreign threat actors often attack small businesses purely for profit, and if these attacks disclose a path into your profitable business, you may be in line for an attack as well. So any business, big or small, with access to your data needs to comply with your data security protocols.

4. Audit your vendors. For vendors entrusted with sensitive or confidential information, your contract should provide you the right to audit their data security protocols regularly to ensure compliance. Promises mean nothing if the vendor cannot consistently demonstrate its ability to fulfill them.

5. Ensure you are covered in the event of an attack on your vendor. When a vendor suffers a data breach, you do not want to bear the brunt of any associated loss. For vendors with access to sensitive or confidential information, your contract should ensure that the vendor indemnifies you. Vendors unable to reasonably indemnify you should have appropriate insurance, which the contract should specify.

Cyber attacks through vendors will remain a mainstay for the foreseeable future. To make sure you won’t slip and expose your data, follow commandment #10 and protect your company from the consequences of a vendor breach.