Cyber Security: How Vendor Roles Relate

May 22, 2017
Cyber Security: How Vendor Roles Relate

Cyber security threats are a real and present danger to company infrastructures today. The dynamic nature of cyberspace demands the implementation of dynamic security policies with layered defenses. Organizations must adhere to strict definitions and actions concerning network abuse, natural disasters, and outside infiltration. However, this isn’t just true for the business infrastructure. Because integrated connections are required for operation, every vendor with access to the organization must also deploy adequate communication and data protections.

Consider the attack perpetrated on Target. Credit card and personal information were exposed through a phishing attack not directed at the enterprise. The malware-laced email was delivered to an HVAC firm that engaged with the retailer, and from that point was able to compromise Target through the permissions granted to the supplier. To ensure that cyber security isn’t compromised through a vendor, companies should understand the policies every supplier necessary for operations has in place. Consider the following cyber security questions before allowing a vendor network permissions.

What data protection standards have been attained?

Once data is shared with a vendor, organizations no longer have control over its security. It’s important to know what standards have been attained by any suppliers who work with the company. Are ISO 27001, SSAE16, or SafeHarborcertifications present? Knowing what asset and information security, auditing, and compliance laws are met gives valuable insight into how vendors protect data through encryption and secure transmission.

What security awareness processes are used?

Human error accounts for nearly all major security breaches. Vendors should have detailed user awareness programs in place that stress the importance of the acceptable use policy (AUP) and initiate reliable employee training.

Are partitions or separations employed for data and the main infrastructure?

Another vendor area important for companies to examine is the segmentation of client data and critical infrastructure. A number of security problems can be eliminated or reduced by storage techniques. For example, database servers and web servers must be separated. The database server should be located behind the firewall, not in the demilitarized zone with the web server. It is more complicated to initially configure, but the cyber security benefits it establishes are worth it.

What current disaster recovery (DR) plan is in place?

The disaster recovery plan illuminates the level of the vendor’s concern with cyber security and how effective their responses will be in mitigating financial loss. Often, attackers target vendor systems first, so working with vendors that ignore robust security measures, especially DR plans, increases the company’s attack surface.

Since transacting business in today’s global marketplace relies on maintaining profitable relationships with external suppliers, it’s crucial for organizations to understand how their vendors address and respond to cyber security issues. Doing so will help limit the attack surface and ensure that relationships don’t encourage greater risks.