Your business most likely relies on third party vendors. Have you considered that partnering with the wrong vendor could result in financial losses and serious damage to your company’s reputation? Hackers intentionally go after companies that have access to other businesses. Think about it, break into one company and you can quickly get access into upwards of hundreds or even thousands of companies. This happens every year and is an established attack path. The consequences of your vendor being compromised is so high that verifying that they are at least doing some cybersecurity basics is a wise move. What you don’t know about your business partners can hurt you.
Which third-parties should you be focused on? Not all third parties should automatically be subject to review. Do they have direct access into your network? Or do they have access to sensitive company information? These types of questions will give you insight into which companies you should prioritize
Damages can be real
Could you imagine if you had invested good money and resources to try to ensure the security of your organization, only to get hacked because of a vendor? You want to ensure that the companies you do business with, if anything, have just as much security protection, not less. A company’s security is only as good as the security of its vendors. Keep in mind just because something is the worst-case scenario doesn’t mean it’s unlikely to ever happen, you should if anything, expect these types of problems and be prepared for a breach.
Performing Due Diligence
Having your selected vendors fill out a risk assessment can help determine what risk they may pose to your organization. It doesn’t mean everyone has to have perfect security but if a vendor’s security is lacking and we can determine that, it helps us plan for dealing with an attack if or when it does come. If you would like a template to give your vendors, if you call or email RT Solutions we’d be happy to supply one.
Business Software
The riskiest vendor software are ones that are public facing, meaning anyone on the internet can connect to it. This usually takes the form of what you would call a “Web App”. Web App’s offer a wide attack surface, meaning there are many ways an attacker could attempt to break into it. Keep in mind that if that web app is running on one of your servers, one the hacker gets in they will move further into your network to steal your data or deploy ransomware.
It’s also important that when a vendor knows a security issue exists, that they fix the problem in a timely manner. This isn’t always the case. The vendor must be aware and then motivated enough to make sure they can resolve their security issue. Companies sometimes know there is an issue with their software and then take months or even years to fix problem.
Mitigations – Compensating for insecure third-party vendors
While we can’t control how the third party manages their software, we do have control over our security controls that we implement. If it is determined that a vendor’s security is less than stellar, we can take extra precautions to reduce the impact of a security incident. The main security measure will want to take is isolating the vendors software/access to only the portion of your network that is required. If the vendor provides you software that is a web app, you may want to consider Cloudflare’s “Web Application Firewall” for an extra layer of security (see www.cloudflare.com). If you’d like to discuss the risks to your organization, you can book a no obligation meeting with a security professional below.