Cybersecurity Risks From Tech Vendors: How Companies Can Minimize Them

An exploitable loophole in the system of a vendor can allow hackers to access a company's data.

A looming cybersecurity threat confronts many companies due to their technology vendors, who help them run their business day-to-day.

‍

A variety of critical functions are performed by technology vendors, including hosting information in the cloud, organizing information and data, interacting with customers and employees, and accepting payments.

‍

Vendors plug into company systems, so information is shared between them, so their reliance on technology vendors increases. Companies that use these systems are vulnerable to attack because holes in their systems can be exploited by attackers.

‍

Companies can protect themselves against cyberattacks from vendors in five ways, according to cybersecurity experts.

‍

1. Review vendors rigorously when hiring 

In light of the fact that most vendor cybersecurity approaches are beyond the control of clients, Jadee Hanson, the chief information officer and chief information security officer at Code42 Software Inc., emphasized the importance of vetting vendors to make sure they are protecting against threats.

‍

The risk-mitigation efforts of vendors can be gleaned from vendor reviews and questionnaires, according to her. Her recommendation is to review technology vendors' ethical hacking programs to ensure that systems are continuously tested for vulnerabilities. 

‍

A detailed assessment of a vendor's security infrastructure can be conducted by third-party firms after performing an independent vendor assessment. A third-party assessment can be beneficial since vendors are more likely to open up to a third party than their ecosystem partners, says International Data Corporation's Craig Robinson.

‍

Cybersecurity programs are a secretive affair among CIOs and CISOs, says Mr. Robinson. An outside firm that does this regularly makes it easier for them to open up to them.”

‍

2. Specify how data will be shared as part of vendor agreements 

There should be a shared understanding between companies and vendors regarding how company and vendor systems will interact, including how the information will be accessed and shared between them.

‍

A vendor might need access to company data in order to conduct routine workplace tasks, such as payroll administration. As an example, a payroll vendor is responsible for “putting all that data back into your general ledger, so you can update your financials,” says Schellman & Co.'s chief executive Avani Desai. It's important for companies to look for vendors who protect sensitive information with encryption.

‍

3. Hire internal assessors to regularly brief directors on vendor cybersecurity programs and vulnerabilities 

It is possible for these assessors to integrate vendors, then continuously monitor them to detect security issues and protocols, according to Ms. Hanson.

‍

In addition, the board wants to know who is responsible for monitoring the vendor's cybersecurity program, states Ms. Hanson.

‍

4. Vendors should be held to strict confidentiality regarding company data 

Contractors should have access to systems critical to their work and nothing more, says Hanson, who believes vendors should access company systems using a least-privilege model. Authentication with two factors should be a given.

‍

Frank Dickson, group vice president of the security and trust research practice at International Data Corp., says that companies often give access to employees, but neglect to turn it off for those who have left. He explains that companies may have difficulty rescinding access to vendors as employees leave their firms due to the complexity and volume of vendor systems. He says the issue is significantly more chronic with them since there is no triggering event, like termination of employment, to cut off access. It is possible, however, to automate the process thanks to technology.

‍

Ms. Desai recommends that companies gate their vendors' systems so attackers cannot easily move between them if there are many accessed by a company's network. By adding additional security controls and firewalls to the main network, vendor systems can be sequestered from the main network.

‍

5. Bring security expertise to boards by empowering the chief information security officer  

Companies may face political obstacles when implementing vendor security programs. The chief information security officer has a limited amount of influence on executive teams in many firms, which makes cybersecurity a specialized responsibility.

‍

According to Rick McElroy, principal cybersecurity strategist for VMware's security business unit, chief information security officers are generally the least powerful C-level roles. It is common for chief information security officers to leave unfunded their recommendations when top-level executives are informed of cyber risks and the associated costs. The findings of some studies are ignored by some top-level executives.

‍

Bringing cyber expertise to boards would also help companies address risks more effectively. 

‍

The security profession needs to be elevated to the board level. Mr. McElroy explains that this is just beginning to take place. Over the last year and a half, we have heard from a lot of people who are understanding the risk language and then putting in place programs to manage each of them.