Relationships with vendors are important (or even vital) for many organizations, but unfortunately, there’s a trade-off—the more data you share, the more risk you acquire.
There are obvious and non-obvious vendors, third parties, and contractors that have access to your data or your corporate network. The obvious ones are organizations that provide IT or technology services to you. Naturally, these individuals would have access to your data, because you’ve granted it!
On the flip side, there are plenty of organizations whose access to your corporate network or data is less obvious, or even hidden. These companies likely provide a business service to your organization, which may include law firms, accounting firms, benefits, or PR agencies. Those firms may have access to your sensitive information, and you may be completely unaware. This can be for many reasons. Consider these common situations:
- You’ve contracted a business service and have given them more network access than you realized.
- You’ve sent something out to them, like an email or USB, that may have contained sensitive trade information or personally identifiable information (PII).
- You’ve brought them onsite and have unknowingly allowed them to amass sensitive data on you through simple conversations or onsite visits.
You may not consider these circumstances very important in regards to cyber security—but you should! If you’re providing “hidden” vendors with unprecedented levels of access to your corporate infrastructure, they can do major damage.
Consider These Scenarios
Let’s imagine that your company has just moved into two floors of a brand new office building. Every day, there are hundreds (or thousands) of people coming in and out of the doors. Some of those people you will know, and others you will not. Now let’s say the owners of the office building contract a third party HVAC service, and they give that service provider access to monitor the building facilities remotely. Sounds like business as usual, right?
Well, what you don’t necessarily know is whether that HVAC company could unintentionally (or intentionally, depending on the circumstance) gain access to your data and corporate infrastructure through your shared internet connection in the building. Now, that’s not to say that you should quickly seek out your building manager and find out whether there’s an HVAC vendor hacking your system. Our point is to simply illustrate how hidden dangers with respect to cyber security aren’t as cut and dry as you might think.
A real life example comes from an unfortunate hack this year involving three web-based press release distribution companies. Several hackers and a handful of investors teamed up to steal press releases before they went public. Using this information, they invested in the companies with major upcoming announcements, resulting in illegal profits of over $100 million. So even though the PR sites were hacked, it was the companies who used these business’ services who paid the price.
Important Steps To Take Today
Being able to constructively manage cyber risk—whether it’s obvious or hidden—is a skill every business should practice. A lot of organizations are focused solely on managing their IT vendors, with hopes that those efforts encompass all security risks. But that approach simply isn’t comprehensive enough; you must look at other business services as well. It is quite likely that they either have data which you’ve provided to them, or they have data that you don’t know about—either way, they likely have access, and it needs to be controlled.
So, what steps can you take to help?
- Identify organizations and people who have access to your sensitive data or corporate network. Before you start managing the risk, you need to find out which business services do have access to your data or network. There are plenty of organizations that you haven’t thought about, and those are major vulnerabilities.
- Develop a vendor risk management (VRM) program. This process involves quite a bit of time and energy, but strong third party security cannot be understated. If your VRM program isn’t fully optimized, don’t be afraid to ask questions.
- Reduce the amount and level of access as best you can. To protect the data that is most important to you and your company—your “crown jewels”—you’ll need to ensure that there is only a small number of individuals who have limited access to your data and network.
- Implement industry-standard vendor risk assessment methodologies, including risk assessments, questionnaires, on-site visits, technical scans, and security documentation reviews. You don’t need to reinvent the wheel to adequately measure and monitor risk.
- Use a continuous monitoring solution in order to “get the full picture”. By doing this, you’ll be able to effectively monitor the cyber security of all obvious and non-obvious vendors, 365 days a year.
If you’ve read through this article and thought, “Oops! We trust too many organizations with our data...”, or “Have we provided our third parties with access to our corporate infrastructure without knowing it?”, don’t worry. This is a great step in the right direction. We encourage you to keep thinking very broadly about vendor risk management, and the steps you should be taking to ensure that your data is always secure.