Once you have your cyber security measures in place, you need to think about the business partners you use. How good do you think their cyber security measures are? Have you asked? Have you provided guidance that meets your requirements? Have you tested their measures?
Your data and your company’s security is only as good as the security of those who have access to your data. Many people worry about storing data on clouds, but frankly, I would worry more about data maintained by my suppliers.
We love the convenience of technology. We can respond faster by letting our partners input orders, pay bills, check project status, etc. via shared portals. We offer online training courses through outside vendors who have employee training records and job descriptions.
Unfortunately, cyber security breaches can start at a vendor as the entry into another company. Target Corporation breach in 2013 started at a midsize heating and air conditioning company. A construction contractor was the entry way for a hacker to access the blueprints for Australia’s Security Intelligence Organisation new building. Hackers look for opportunities and leverage easy access routes. They are not just looking at designated large target. They look for multiple routes into the target.
- Assess the risk
Determine by supplier who has the largest amount of your confidential data in their control. This might be client lists, patent information, employee records, financial data or customer names and addresses. There are so many valid reasons your suppliers and service providers have information that a hacker might want.
Assign a value A, B, C or 1, 2, 3 or whatever to highlight which companies pose potential risks depending on their cyber security measures
- Find out what their security measures are for their data
If they aren’t taking strong measures on their own data, how can they secure yours? Find out when they last did a vulnerability assessment. Ask detailed questions about their findings and improvements. Cyber security is not a stagnant initiative; it must be continuously funded and enhanced to meet the increasing demands and challenges.
- Review the SLA
You have a service level agreement, right? Review it to see if it covers data security, breach responses, and recovery activities.
- Meet with one of the vendor’s senior officer, board director, or legal counsel
Do not spend time talking to your beloved sales representative, head of customer service, or cyber security lead on this topic. You need to talk business owner to business owner about the shared risk. Communicate to the senior person the importance of cyber security to your business and the devastation that will impact their business if there is a data breach at their business, whether it is your data, their data, or another client’s data.
Also communicate to them this is a shared initiative. They need to know you take suitable safeguards within your business. You need to be partners to ensure both are communicating on possible issues and continuous improvement steps.
- Establish regular reviews
Call it whatever makes sense in your industry, but schedule regular reviews, audits, tests, or assessments so both parties have a sense of security level. These might be done annually, or every month, depending on the sensitivity and business environment. Retain the right to ask for unscheduled reviews whenever you feel one is needed.
- Ask them to have cyber security insurance
You do not want your business to be damaged by a significant security issue at their company. Just as you expect them to have fire insurance and property insurance, ask your vendor to have cyber security insurance so they can financially recover quickly and be a strong ongoing partner.
- Make sure they have suitable user access level controls.
Not everyone in their company needs to access all data. Make sure the financial people only see what they need to, that production control people don’t see everything in your client file, etc. The fewer people that see all the parts of your relationship, the fewer exposures there are.
User level controls reduce the risk of what a hacker can access once he gets into a system. Your vendor should make it very difficult for a hacker to find data from a direct source.
- Make sure your supplier has policies, procedures, and training programs
Employees need the support of an organization to set the suitable security guidelines and provide the training. A company that realizes the value and related risk of your data will ensure it has the processes in place to keep its employees informed and directed on how to manage your data while under their care.
- Make sure your company handles data sharing securely
All the best practices at your supplier are worth naught if you don’t have outstanding transfer of data security. Make sure transmitted data is encrypted and only select people in your company and at the vendor can transmit data between entities. Mandate stringent passwords and ideally use dual authentication for data movement and viewing.
- Control viewing, sharing and copying of the data
Ensure your vendor does not allow your unencrypted data to go home with an employee on her laptop. Make sure that a supplier’s employee can’t casually copy your data to a USB drive and walk out the door.
You may be a third party provider for someone else. Be ready for their dialog with you about your measures. You can establish the standard for strong cyber security measures among your business partners.