Cyber Security 101: Vendor and third-party security

Common cyber attacks

First, a quick review on some of the most common attacks. If you’ve implemented your own cyber security practices and controls, then you’re already familiar with these threats. Apply the same scrutiny when it comes to your vendors’ security. then you’re already familiar with these threats. Apply the same scrutiny when it comes to your vendors’ security.

• Social engineering: Social engineering attacks, including the most common email phishing attacks attempt to steal sensitive information through phony emails posing as people or parties with earned trust. Today, threat actors are now utilizing things like QR codes, Teams messaging, WhatsApp, and SMS to deliver these same tactics and techniques. These can be used in conjunction with business email compromise scams and tech support scams.
• Ransomware: This dangerous software can lock down your company’s data and lock you out of your business until a ransom is paid to free the data. The Royal Canadian Mounted Police (RCMP), describes Ransomware as, “A type of malware that encrypts user data and demands ransom for it.”
• Malware: Damaging software designed to infiltrate your business, corrupting your data and irreparably damaging your systems (or providing unsolicited or unknown access). As defined by the RCMP, “A software created to damage a computer, server or network. It can cause damage to systems and/or allow the cyber attacker to gain unauthorized access.”

These are just a few of the most common security threats and each comes in a variety of attacks. You already know that cyber security is absolutely essential for your business. Now let’s look at some tips on how to apply that same standard to the security of your vendors.

Tips on how to monitor your vendors and protect your business

1.   It starts with the contract

Legal contracts are an imperative aspect of running a successful business. Extend this same practice and standard to your vendor’s cyber security. It is crucial to put non-negotiable cyber security provisions in your vendor agreements. These provisions will give you opportunities to evaluate your vendor’s security practices and require them to update their controls.

2.   Ensure vendor security is up to date

As fast as cyber security is established, attackers are inventing new means to subvert your controls. The digital world is in constant flux and escalation is an inevitable risk that must be mitigated through regimented updates. Require your vendors to routinely update their cyber security to ensure the best protections are always in place.

3.   Verification through shared processes

If your business already has a sound cyber security framework (and if it doesn’t, make this a top priority) then extend your processes to your vendors. Work with them to establish shared processes to follow and to verify their compliance. Shared processes will give you a clear mechanism to ensure your vendor’s cyber security is up to standard.

4.   Multi-factor authentication

Multi-factor verification is a simple but critical step. This should be standard practice not just in your business, but for all of your vendors as well. This extra step will provide essential safeguards to all platforms and logins used by your vendor.

5.   Limit access to your database

Only allow access to the data needed by your vendors to carry out their work. Otherwise, put limits on their access to your databases—especially those with sensitive information. When access is required, deploy your own cyber security practices to put the right controls in place. Finally, remember to remove access when it’s no longer needed.

6.   Strong passwords and encryptions

Ensure you and your vendors are both using strong passphrases with properly configured encryption to protect your data. And require scheduled passphrase updates with minimum complexity standards.

7.   Get cyber security insurance

Even if all the proper practices and controls are in place for both you and your vendors, attacks can still happen. In the event of a vendor security breach, having cyber security insurance in place will be essential to protect you and your business. in place will be essential to protect you and your business.

What to do if there is a vendor or third-party breach

Despite all your best efforts and due diligence, your vendor or supplier may still experience a data breach or cyber-attack. If that happens, get all the information on the breach and its current status as quickly as possible. Having the right information will empower you to make the most informed decisions as you monitor the progress of your vendor’s response. As part of your own vendor security breach action plan, the following steps are essential:

1. Secure your environment and check for intrusions.
2. Change account passphrases and validate with your contacts updated processes associated with systems and software with that vendor.
3. Contact the appropriate parties (insurer, legal, IT, etc.) identified in your incident response plan immediately (In Canada, if you have damages as a result of the breach, contact your local police service, and report it here: https://www.cyber.gc.ca/en/incident-management)
4. Connect with your vendor to ensure they have a plan in place to remedy any vulnerabilities moving forward and ask for regular updates.
5. Notify your customers if their data compromised and communicate with them.

After the cyber attack has been resolved, it will be up to you to review the breach and your vendor’s response. Did they follow your shared processes? Was their security up to date? Could the breach have been prevented? Once you’ve evaluated the event and your vendor’s response, you can decide whether or not you want to continue partnering with that vendor.

You have support

Protecting your business against cyber attacks is already an unrelenting task — and now you have to monitor your vendors and other third-party collaborators’ cyber security on top of it. But you don’t have to do it alone. We are available to support you in protecting your business by establishing the strongest cyber