Man standing in office looking at tablet

Cyber Security 101: Vendor and third-party security

Cyber Security 101: Vendor and third-party security

Synopsis
5 Minute Read

You’ve done your due diligence and implemented a cyber security plan using all the best new tools for your business. But your business isn’t the only one putting your security at risk. It’s time to take a hard look at the cyber security of your vendors and other third-party collaborators.

If your vendors have any access to your data or sensitive information, you should prioritize vetting their cyber security practices. Do they have the right controls in place? Do they have a plan in the event of a security breach? Do you have cyber security insurance in the event of a third-party security breach?

Let’s look at how to properly monitor and vet vendor and third-party cyber security.

Common cyber attacks

First, a quick review on some of the most common attacks. If you’ve implemented your own cyber security practices and controls, then you’re already familiar with these threats. Apply the same scrutiny when it comes to your vendors’ security. then you’re already familiar with these threats. Apply the same scrutiny when it comes to your vendors’ security.

  • Social engineering: Social engineering attacks, including the most common email phishing attacks attempt to steal sensitive information through phony emails posing as people or parties with earned trust. Today, threat actors are now utilizing things like QR codes, Teams messaging, WhatsApp, and SMS to deliver these same tactics and techniques. These can be used in conjunction with business email compromise scams and tech support scams.
  • Ransomware: This dangerous software can lock down your company’s data and lock you out of your business until a ransom is paid to free the data. The Royal Canadian Mounted Police (RCMP), describes Ransomware as, “A type of malware that encrypts user data and demands ransom for it.”
  • Malware: Damaging software designed to infiltrate your business, corrupting your data and irreparably damaging your systems (or providing unsolicited or unknown access). As defined by the RCMP, “A software created to damage a computer, server or network. It can cause damage to systems and/or allow the cyber attacker to gain unauthorized access.”

These are just a few of the most common security threats and each comes in a variety of attacks. You already know that cyber security is absolutely essential for your business. Now let’s look at some tips on how to apply that same standard to the security of your vendors.

Tips on how to monitor your vendors and protect your business

1.   It starts with the contract

Legal contracts are an imperative aspect of running a successful business. Extend this same practice and standard to your vendor’s cyber security. It is crucial to put non-negotiable cyber security provisions in your vendor agreements. These provisions will give you opportunities to evaluate your vendor’s security practices and require them to update their controls.

2.   Ensure vendor security is up to date

As fast as cyber security is established, attackers are inventing new means to subvert your controls. The digital world is in constant flux and escalation is an inevitable risk that must be mitigated through regimented updates. Require your vendors to routinely update their cyber security to ensure the best protections are always in place.

3.   Verification through shared processes

If your business already has a sound cyber security framework (and if it doesn’t, make this a top priority) then extend your processes to your vendors. Work with them to establish shared processes to follow and to verify their compliance. Shared processes will give you a clear mechanism to ensure your vendor’s cyber security is up to standard.

4.   Multi-factor authentication

Multi-factor verification is a simple but critical step. This should be standard practice not just in your business, but for all of your vendors as well. This extra step will provide essential safeguards to all platforms and logins used by your vendor.

5.   Limit access to your database

Only allow access to the data needed by your vendors to carry out their work. Otherwise, put limits on their access to your databases—especially those with sensitive information. When access is required, deploy your own cyber security practices to put the right controls in place. Finally, remember to remove access when it’s no longer needed.

6.   Strong passwords and encryptions

Ensure you and your vendors are both using strong passphrases with properly configured encryption to protect your data. And require scheduled passphrase updates with minimum complexity standards.

7.   Get cyber security insurance

Even if all the proper practices and controls are in place for both you and your vendors, attacks can still happen. In the event of a vendor security breach, having cyber security insurance in place will be essential to protect you and your business. in place will be essential to protect you and your business.

What to do if there is a vendor or third-party breach

Despite all your best efforts and due diligence, your vendor or supplier may still experience a data breach or cyber-attack. If that happens, get all the information on the breach and its current status as quickly as possible. Having the right information will empower you to make the most informed decisions as you monitor the progress of your vendor’s response. As part of your own vendor security breach action plan, the following steps are essential:

  1. Secure your environment and check for intrusions.
  2. Change account passphrases and validate with your contacts updated processes associated with systems and software with that vendor.
  3. Contact the appropriate parties (insurer, legal, IT, etc.) identified in your incident response plan immediately (In Canada, if you have damages as a result of the breach, contact your local police service, and report it here: https://www.cyber.gc.ca/en/incident-management)
  4. Connect with your vendor to ensure they have a plan in place to remedy any vulnerabilities moving forward and ask for regular updates.
  5. Notify your customers if their data compromised and communicate with them.

After the cyber attack has been resolved, it will be up to you to review the breach and your vendor’s response. Did they follow your shared processes? Was their security up to date? Could the breach have been prevented? Once you’ve evaluated the event and your vendor’s response, you can decide whether or not you want to continue partnering with that vendor.

You have support

Protecting your business against cyber attacks is already an unrelenting task — and now you have to monitor your vendors and other third-party collaborators’ cyber security on top of it. But you don’t have to do it alone. We are available to support you in protecting your business by establishing the strongest cyber

Drew Buhr CISSP, CISA, ISO 27001 LA

Partner

780-733-8681

1-800-661-7778

[email protected]

Insights

  • Performance

    December 12, 2024

    How AgriStability can help purebred beef producers weather an uncertain marketplace

    How can you protect your purebred beef operation from financial losses? The AgriStability program can offset risks and help purebred beef producers thrive.

  • Progress

    December 10, 2024

    Lightbulb moments: How migrating to modern platforms can enable reliable energy production

    Forty-four percent of the North American Energy members have some cloud resources, and your company may fall behind if it does not invest in this new technology.

  • Confidence

    December 03, 2024

    Give and take: The impact of fraud on non-profit organizations

    Fraud poses serious risks to non-profits, from financial losses to reputational harm. Learn how to detect, prevent, and protect your NPO from fraud vulnerabilities.