In 2013, Target was the victim of a massive cyber-attack. Hackers uploaded malware to point-of-sale devices, stealing an estimated 40 million credit card numbers and 70 million personal records. This was a security crisis of epic proportions. Sales dropped 40% in the quarter after the attack and Target spent an estimated $200 million upgrading their POS machines. (For more stats, check out The Target Breach, By the Numbers.)
How did hackers gain widespread access to such a huge corporation? They stole credentials from one of Target’s third-party vendors.
Each vendor that a company engages with represents a crucial point of risk. A breach in any of your vendors’ systems could become a major security issue for your company, damaging your bottom line and reputation. In short, your vendors’ security problems are your security problems.
Now, that’s a scary thought. Especially if you haven’t vetted your current vendors or don’t even know how many businesses have access to your company data. It’s time to stop ignoring the potential hazards. Here are 3 ways to manage risk and stay on top of vendor security:
1. Make a vendor risk management plan.
Many organizations assess vendors using ad hoc methods. Each department handles vendor selection differently, developing their own standards and processes for evaluating third-party partners. Unfortunately, this decentralized approach makes companies vulnerable to vendors with poor security track-records.
Standardizing your vetting process across your organization is the first step to mitigating data risk. Create a plan that is uniform across all departments and make sure that every employee has access to necessary documents and reporting mechanisms. Some things to include in your plan:
- Internal best practices for ensuring data security
- Evaluation procedure for assessing potential vendors
- Criteria and standard requirements for vendor selection
- Vendor candidate questionnaire
2. Evaluate security risks of third-party partners before you buy.
For many businesses, the security of third-party vendors isn’t even on their radar. A 2015 US study on cybercrime by PwC found that, despite cybercrime rates, 19% of CEOs, CFOs and COOs were not concerned about the risks associated with third-party suppliers and contractors.
Before you hand over crucial company data, do your homework. Research your vendors carefully to make sure there are no red flags. Here are a few tips for evaluating third-party companies:
- Check their compliance with government rules and regulations.
- Ask about their IT security practices and policies. How are they are enforced?
- Ask to see industry certifications. Are they up to date?
- Seek out current customers. Are they satisfied with their services? How responsive is the support team?
3. Instead of multiple third-party apps, consider a single unified software solution.
In some cases, combing multiple software solutions together is the path of least resistance. It may be easier to find a single app to solve that urgent operational problem than to transform your entire digital operation, but only in the short-term. You’ll be compromising security in the long term. Remember, the more apps you have, the more opportunities for data breaches.
Going with a unified enterprise management software solution cuts down on the number of vendors with access to your data. Employing fewer vendors makes finding and solving security issues much easier. No more detective work while vendors play the finger-pointing game.
Keeping your eyes open for potential risks is essential when deciding which vendors to work with. It may seem labor-intensive, but you’ll be glad you went to the extra effort of protecting data assets. Looking for more ways to keep your company safe and secure? Check out these 3 Essential Rules for Data Sharing.