If you want something done right, do it yourself – but what happens when that's not an option? Once your business gets to a certain size, you may find yourself relying more on third parties to help out. For example, you'll probably need…
- Credit card processing equipment or apps.
- Vendors or wholesalers.
- Independent contractors for building maintenance and other projects.
While these relationships take a significant amount of work and worry off your plate, they also introduce risk in the form of new data breach exposures.
Take Target's data breach, for example. In 2013, hackers were able to break into the retailer's payment systems and swipe about 40 million customer credit cards because of one reason: they first stole Target's HVAC contractor's the login credentials. When a foothold is all you need to break into a sophisticated network, you go after the weakest link. Unfortunately, third parties are often that link.
With that in mind, let's look at some ways you can manage these business relationships to strengthen your cyber security on all possible fronts.
Vendor Management & Cyber Security: Two Sides of the Same Coin
So we've established that third-party vendors are a possible cyber exposure for your business. And what's at stake is more than just data breach cleanup costs (which can be significant) – your business's reputation is also on the line. After all, a breach is bad for business, and customers are becoming increasingly wary of who they trust with their confidential information.
Here are some ways you can make sure third parties don't inadvertently expose your network to potential hackers:
- Manage third-party responsibilities with contracts. These should have an indemnification clause, which can protect you when a vendor's actions cause a breach. You'll probably have to negotiate the extent of the indemnification coverage, but it's worth asking for in your contract. Having contracts can make eventual court cases over breaches easier to handle and more likely to work in your business's favor. Read more about how to use third-party contracts in this Business Insurance article.
- Monitor third-party network access. If a third party has access to your network, watch out for command-and-control activity and unusual activity. Also note: not all third parties should have the same level of access to the network. Limit system access to only the areas that the vendor or contractor needs to do their work.
- Use two-factor authentication. Make sure that all third parties that can access your network use strong passwords and implement a two-factor authentication process. If vendor credentials are compromised, hackers will need yet another access code or physical security token to access the system.
Remember, it's in your vendors' best interest to take your business's security seriously, too. When a data breach happens and lawsuits start rolling in, usually all responsible parties will be named in the suit. Plus, it's not good PR for the vendor to be the reason a business suffered an attack.
That does give you some leverage when ironing out the details of your third-party contracts. At the same time, recognize that your vendors are accepting risk by working with you, too, so come to the table ready to negotiate fairly.
For more cyber security tips, check out our data breach blog series.