Originally to written and published via the Forbes Technology Council, this article is a primer for executives on the importance of vendor security. Reprinted here.

LINK

John Dean is monitoring the refrigeration systems his company manages for a major retail chain. If something looks off in the systems, John can fix it remotely, ensuring uninterrupted convenience for his customers.

As he works, an email alert chimes. Distracted, John opens what looks like an urgent message from a business partner that he recently placed a rush order with. The email requests confirmation before shipping. Without a second thought, he clicks the link, enters his username and password, confirms the order and returns to his task.

All seems well. But it’s not. The link John clicked was a phishing trap. His credentials are now in the hands of cybercriminals who use them to access his email, plant malware on his machine and gain control over his system. From there, they collect sensitive data and leverage John’s access to infiltrate his customer’s network.

This breach wasn’t due to negligence—John and his company take security seriously. However, their business is a steppingstone in a larger attack. The real target? The retail giant they serve. By compromising John, hackers toppled the first domino, setting the stage for a larger breach. While John may be a fictional character in this case, this incident highlights the real-life importance of vigilance, even for companies that might not seem like prime targets.

5 Key Considerations For Addressing Vendor Security

If this sounds outlandish, I assure you it’s not. This is similar to the chain of events that led to the Target breach of 2013 when 70 million customers had their information stolen. I wrote this article as a reminder of these hard-learned lessons that we best not forget and end up repeating.

How do you think about vendor security? Do your vendors have the same high security standards as you have for your internal services and infrastructure? Here are a few critical things to consider:

1. Implement a comprehensive vendor assessment process.

Create a vendor assessment process and apply it consistently to all your vendors. Integrate this process into your contract signing or renewal workflows to ensure it occurs on a regular basis. Include questions about the vendor’s security practices, data retention policies and recent third-party security assessments as part of your evaluation.

2. Stay ahead of vendor risks.

Regularly and continuously monitor and evaluate all your vendors whenever possible. Consider factors such as the number of vendor employees accessing your environment, the devices they use for access and whether those devices meet specific standards (e.g., up-to-date patches, approved software versions and corporate management).

3. Build and test an incident response plan.

Things will go wrong. Develop a plan to detect problems as early as possible and respond swiftly to mitigate and resolve them. Regularly test your plan by conducting fire drills to ensure everyone knows their roles, responsibilities and communication protocols—both internally and externally—in the event of a security incident.

4. Enforce role-based vendor permissions.

Ensure your vendors have tightly scoped access, limited to what is necessary for their roles. For example, if they work in the operations department, they should not have access to other areas. The best practice is to create role-based groups and grant access to applications through these groups, rather than providing direct access to individual applications across the company.

5. Prioritize vendors with verified security credentials.

If you have multiple vendors to choose from, prioritize those with reputable third-party certifications such as SOC 2 or ISO 27001. Additionally, prefer vendors that regularly conduct third-party penetration tests to assess and enhance the security of their services.

Conclusion

We’ve all heard the saying, “A chain is only as strong as its weakest link.” Imagine your business’s most valuable assets secured by a chain. Some links in the chain are yours, while others belong to your partners. The strength of the chain depends on every link. The same goes for software security—your vendors and partners must meet the same high standards you set for yourself. Protecting your assets this way builds trust with customers and shareholders alike.

⤧  Next post The Single Responsibility Principle ⤧  Previous post Kurt Vonnegut On Writing