Vendor security management is an important part of your cybersecurity program. In this segment of “Office Optional with Larry English,” Larry shares four areas to keep in mind to prevent a data breach.
In 2020, hackers gained access to the data of companies through malware installed on software updates to an IT monitoring software from SolarWinds. The SolarWinds incident is an example of a supply chain attack, where hackers target third-party tools or software.
And bad news: Supply chain attacks, which allow hackers to target numerous organizations simultaneously, are on the rise — supply chain attacks increased 26 percent from 2022 to 2023. Through a combination of incomplete vendor security protocol and inconsistent compliance, lack of employee education, and other factors, companies are leaving themselves vulnerable to nefarious actors.
Do You Really Need To Worry About Vendor Security?
Supply chain attacks and other methods targeting organizations through third-party apps and vendors are widespread for a few reasons.
Almost every company out there uses third-party tools and software. Mistaken assumptions about vendor security are rife, namely that vendors have the proper security controls in place and that default settings are secure. As a result, organizations neglect to thoroughly vet their vendors or reconfigure the settings of their tools and software — a common vendor security misstep. Finally, some companies make security exceptions for vendors they want to do business with, ignoring red flags for the sake of convenience.
Shadow IT is another huge contributor to the need for vendor security risk management. Anytime a company’s employees independently begin using software from an unvetted vendor without the oversight or approval of the IT department, that’s shadow IT.
The problem of shadow IT usually boils down to two issues: Lack of employee education on why shadow IT is a problem and a subpar vendor security management program with an inefficient process for vendor approval.
For example, say an HR department wants to communicate using Slack, but it’s taking a month to get official approval. What happens next? Those employees may decide to go ahead and set up personal Slack accounts (rather than a more secure enterprise account) and begin sharing company data through the insecure platform. That’s a vendor security breach waiting to happen.
4 Steps to Smart Vendor Security Management
Organizations should focus on the following action items in 2024 to protect themselves against attacks through third-party apps and services. Of course, the more mature an organization’s vendor security program, the more minimized the risks.
Shore up your vendor security management program.
Companies need a strong, zero-trust vendor security management program that covers the full vendor lifecycle from vendor setting to vendor decommissioning. Too often, organizations do their due diligence at the beginning of an engagement with a vendor but neglect regular monitoring during the contract or decommissioning once the contract ends.
Why is this important? Just because an application or software passed the security test initially doesn’t mean changes haven’t happened that open up loopholes for hackers. (Case in point: The SolarWinds data breach, which came from a software update.)
The 2023 State of Supply Chain Defense from BlueVoyant found under half of organizations regularly monitor supply chain vendors. Given the growing threat of supply chain attacks, that number should be closer to 100 percent.
Outline clear expectations around vendor security — and put it in a contract.
At a minimum, with every vendor, organizations should require a formal service level agreement (SLA) that stipulates cybersecurity requirements and expectations. The SLA needs to cover rules around data access, data management and usage, as well as required steps in the event of a problem and non-compliance penalties.
Then, organizations should be annually reviewing vendor security audit reports, such as the SOC 2 report, which assesses how well a vendor safeguards a company’s sensitive information.
Design a risk-based approach to cybersecurity.
A common mistake organizations make around vendor security management is to apply the same process and rigor to every vendor. Instead, companies should take a risk-based approach, weighing the risk of the vendor and the sensitivity of the data it will access and vetting them accordingly.
To assess the risk associated with a vendor, ask the following questions: What type of data will you share with the vendor? If that data was lost or compromised, what would happen? Who would need to be notified — customers, the state, the federal government or the SEC?
In short, the sensitivity of the data and the potential fallout from that data being compromised should guide vendor security management measures.
Educate employees on cybersecurity and vendor risks.
Employee education is a common weak link in a company’s cybersecurity program. Companies with independent operating groups (which often means shadow IT) especially should put a program in place to educate employees on vendor security and the required process for vetting and monitoring all third-party tools and software providers.
Employees should be well-versed in all the reasons why shadow IT is problematic (it increases the chances of a data breach and compliance issues, for example) as well as the list of approved vendors and solutions at their disposal. The SolarWinds data breach is only one example of how hackers can target organizations via third-party vendors.
Simply put, companies can’t afford to be complacent around vendor security management. By prioritizing the action items listed above, organizations can safeguard themselves against costly data breaches that could harm their customers, their bottom line, and their reputation.