There are obvious and non-obvious vendors, third parties, and contractors that have access to your data or your corporate network. The obvious ones are organizations that provide IT or technology services to you. Naturally, these individuals would have access to your data, because you’ve granted it!
On the flip side, there are plenty of organizations whose access to your corporate network or data is less obvious, or even hidden. These companies likely provide a business service to your organization, which may include law firms, accounting firms, benefits, or PR agencies. Those firms may have access to your sensitive information, and you may be completely unaware. This can be for many reasons. Consider these common situations:
You may not consider these circumstances very important in regards to cyber security—but you should! If you’re providing “hidden” vendors with unprecedented levels of access to your corporate infrastructure, they can do major damage.
Let’s imagine that your company has just moved into two floors of a brand new office building. Every day, there are hundreds (or thousands) of people coming in and out of the doors. Some of those people you will know, and others you will not. Now let’s say the owners of the office building contract a third party HVAC service, and they give that service provider access to monitor the building facilities remotely. Sounds like business as usual, right?
Well, what you don’t necessarily know is whether that HVAC company could unintentionally (or intentionally, depending on the circumstance) gain access to your data and corporate infrastructure through your shared internet connection in the building. Now, that’s not to say that you should quickly seek out your building manager and find out whether there’s an HVAC vendor hacking your system. Our point is to simply illustrate how hidden dangers with respect to cyber security aren’t as cut and dry as you might think.
A real life example comes from an unfortunate hack this year involving three web-based press release distribution companies. Several hackers and a handful of investors teamed up to steal press releases before they went public. Using this information, they invested in the companies with major upcoming announcements, resulting in illegal profits of over $100 million. So even though the PR sites were hacked, it was the companies who used these business’ services who paid the price.
Being able to constructively manage cyber risk—whether it’s obvious or hidden—is a skill every business should practice. A lot of organizations are focused solely on managing their IT vendors, with hopes that those efforts encompass all security risks. But that approach simply isn’t comprehensive enough; you must look at other business services as well. It is quite likely that they either have data which you’ve provided to them, or they have data that you don’t know about—either way, they likely have access, and it needs to be controlled.
So, what steps can you take to help?
If you’ve read through this article and thought, “Oops! We trust too many organizations with our data...”, or “Have we provided our third parties with access to our corporate infrastructure without knowing it?”, don’t worry. This is a great step in the right direction. We encourage you to keep thinking very broadly about vendor risk management, and the steps you should be taking to ensure that your data is always secure.
We've drilled down into areas that vendor risk management programs leave a little vague.
Download the guide to see if you've considered these critical areas of vendor risk management.
If you’re using a “one-size fits all” approach to managing your vendor lifecycle, you are missing opportunities to save money and operate more efficiently. Vendor management efficiencies don’t end in the onboarding stage: using a...
If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...
During this dynamic and stressful workplace environment 2020 has brought us, finding the most efficient ways to perform in your job has never been more important. When it comes to managing your vendor lifecycle, there are three ways you...
© 2021 BitSight Technologies. All Rights Reserved. | Privacy Policy | Security | For Suppliers
Contact Us | BitSight Technologies | 111 Huntington Ave, Suite 2010, Boston, MA 02199 | +1-617-245-0469