BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Why cybersecurity is vital during the vendor selection process

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 8 Apr 2015 19:26:12 -0600
http://www.scmagazine.com/why-cybersecurity-is-vital-during-the-vendor-selection-process/article/405711/

Security breaches happen almost every day, but what's the likelihood of
that affecting you or your business? You might think you're invincible from
falling into a cybersecurity trap, especially if you practice good security
“hygiene,” but it's crucial to consider more than yourself to rest assured.

Security breaches such as Target and The Home Depothave brought to light
the risks that can be associated with some vendors. These attacks have cost
each company millions of dollars, and they're still fighting to earn back
their customers' trust.

You likely have a list of criteria to check through during the hiring
process of a vendor, (e.g. cost, expertise and financial stability), but if
you haven't added cybersecurity standards to that list, you should.

Even if you have strong security measures in place, your business' security
is only as strong as its weakest link. As we've all learned, Target was
breached through its HVAC vendor, illustrating why cybersecurity needs to
be an integral part of your conversation during the vendor-hiring process.
If a partner or vendor you work with isn't secure, it could devastate your
company, affecting your employees, customers, finances and even other
partners.

While there isn't a way to push a button to find out which companies follow
security best practices, you can get that information by asking the right
questions ahead of time. To get started, here are five areas to consider
the next time you're going through a vendor selection process:

Share cybersecurity concerns right off the bat.

The first thing to do as you're interviewing vendors is to start the
security discussion. Let them know how important it is for your company to
keep its data secure. It's as simple as asking: How will you keep my data
safe? The vendor should be willing and open to discuss their practices with
you, and if they aren't, it could be a warning sign that they aren't the
vendor for you.

Ask about phishing knowledge.

Phishing is one of the most common ways for cybercriminals to gain access
to private information because it's so easy to execute. The vendor you're
speaking with doesn't necessarily need to know the word “phishing,” but
they should know what to look for, such as suspicious emails carrying
attachments or asking for personal information. Phishing attacks aren't
slowing down, so at the very least, it's a good sign if a vendor has
trained their employees on email best practices.

Find out how internal information is managed.

During the discussion with your potential vendor, include questions to
determine how they internally store and organize information. Some
questions to ask include:

- Do you use password managers?
- What are your password policies?
- How are accounts and company information managed?
- Is company information stored in a secure manner?
- Where is it backed up to and how often?
- Do employees access company information through work computers only or
through additional devices?

Search for an online presence.

You should do a quick search to see if the vendor has a website and to get
a feel for how it's managed. Is it clear that it's maintained and kept up
to date? If you find their “Contact Us” form, is it using https or http?
Also, take a look at how the website is organized. Does the structure make
sense? Lastly, take security badges on a site with a grain of salt.
Companies can throw these badges on their site, but it doesn't mean their
security practices are award winning.

Trust your instinct.

It might seem obvious, but sometimes the best advice it to trust your gut.
Take into account the organization's credibility and what their customers
have said about them. In the end, if you're comparing two different vendors
and one of them seems more secure, trust your instinct.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!
Previous By Date Next
Previous By Thread Next

Current thread: