Third-party vendors can be a hidden cybersecurity risk. Here’s how to keep you – and your customers – secure.
The Importance of Vetting Your Vendors
A vulnerability in the file transfer software MOVEit led to a widespread data breach that impacted millions of people worldwide last year.
The incident, which federal authorities attributed to a Russian hacking group, compromised personal data from hundreds of companies and government agencies. Some of the high-profile victims included the U.S. Department of Energy, Shell Oil, and the Johns Hopkins Health System.
The situation was a large-scale example of the many incidents each year where companies suffer data breaches because their third-party vendors have been hacked. In fact, more than 98% of organizations relate with a third-party group that has been breached over the past two years, according to a 2023 report from Security Scorecard.
These situations highlight a concerning reality that all businesses face: As hackers seek out weaknesses up and down the supply chain, your vulnerability to hacking isn’t just affected by your own cybersecurity. It’s affected by your vendors’ cybersecurity, too.
Let’s explore how to properly manage your third-party vendors and vet them to prioritize the security of your customers, your employees, and your business.
What Cybersecurity Risks Could Third-Party Vendors Pose?
Third-party vendors have more access and interconnectivity today than ever before. From software and cloud storage providers to payment processors, consultants, contractors, and managed service providers — there are a host of companies that may have sensitive information related to a single business’s finances, employees, and customers.
While a business may follow all of the protocols, checklists, and best practices when it comes to its own cybersecurity, these connections to outside vendors can leave it vulnerable.
For example, third-party payment processors could have access to information like customer credit card numbers and bank account numbers. A payroll vendor could have access to the private financial information of employees. And your managed service provider has valuable access to IT infrastructure that hackers could use to gain a wealth of your data.
When one of these vendors suffers a breach and it affects your company, it can cause harm to your customers, employees, and reputation — as well as your bottom line. For example, in 2013 a hack of one of Target’s HVAC contractors led to data being stolen from as many as 40 million cardholders, and the cyberattack cost Target millions.
What to Ask Your Vendors About Cybersecurity Practices
As a business, the first step in managing the risk among your vendors is being proactive. Whenever you hire a third-party vendor, it’s important to make security a focus of your selection process.
Hackers look for weak links all along the supply chain, so businesses with improper security protocols, outdated software, untrained employees, or other vulnerabilities, could lead to breaches that hurt your business and your customers.
Here at 12 Points Technologies, we recommend asking the following questions to your vendors:
- How do you manage access to the passwords for our business’s accounts?
- Do you use generic passwords for any accounts?
- How often do you perform data backups? What kind of backups do you use?
- How often do you run internal updates and patches?
- What is your response plan if you were to experience a data breach?
What to Ask Your Managed Service Provider (MSP)
The selection of a managed service provider is an especially important decision since these companies perform IT management, security services, data backups, and more.
When working with an MSP, we recommend asking the following questions:
- What is your customer-facing security protocol?
- What cybersecurity training does your staff receive? What conferences do you attend?
- Do you operate a “zero-trust” environment within your company? What are the controls that you have in place to restrict access to sensitive data and systems?
- Ask to review their security stack (email protection, backup and recovery, endpoint protection, web filtering, managed detection and response). If they won’t share that information, ask why.
For more information, read our guide, “5 Questions to Ask Before Choosing a Managed IT Service Provider.”
What Should You Do if One of Your Vendors Is Breached?
If you learn one of your vendors has been hacked, the first step is to learn more about the breach, determine what data was exposed, and evaluate your risk. Work closely with your cybersecurity professionals to follow your incident response plan, if you have one.
Other steps include:
- Changing your passwords.
- Checking your backups.
- Running security scans on your entire network (not just email).
- Updating your multi-factor authentication.
If it’s your managed service provider that has been hacked, ask them for more information about the scope of the risk and follow their recommendations for how to respond and protect yourself to minimize risk.
Work With the Right Cybersecurity Expert to Lower Your Risk
Whether you’re vetting your vendors or recovering from a third-party data breach, you don’t have to face the challenge of dealing with these issues alone. Working with a cybersecurity consultant or managed service provider will help you understand your vulnerabilities and point your company in the right direction.
At 12 Points Technologies, we take a security-first approach to all of our services. We offer customizable cybersecurity and risk management services to help you holistically defend yourself against cyberattacks. And unlike some managed service providers, we are transparent about our security practices and work to ensure you know your data is in good hands.
Our services include security assessments to analyze your network infrastructure’s integrity, and vulnerability management services that identify your weak spots, monitor them, and help you fix them.
Reach out to us today to discuss how we could help you strengthen your business’s cybersecurity.
Related Posts
About Us
The experts at 12 Points Technologies LLC offer the highest level of Cyber Security, Digital Forensics, and Managed Service solutions to meet your needs.