By Diane Reilly, Vice President of IT Services
How well do you know your third-party vendors? Recent history shows us not as well as you should.
The Home Depot hack is still fresh in everyone’s mind. It was just over a year ago when criminals stole the credentials of a third-party vendor employee, gained access to the home improvement chain’s network and deployed malware on its self-checkout systems, and ultimately stole personal information from more than 56 million credit and debit cards belonging to Home Depot customers. The company has spent more than $40 million to recover from the attack.
The hits, unfortunately, keep coming. After its third-party photo service was hacked in July, CVS shut down the service and announced that customer credit card data might have been breached. And last month, T-Mobile’s vendor, Experian, was infiltrated, exposing the personal information of some T-Mobile customers.
These and other notable cyber attacks on well-known entities via third-party vendors should make all companies cautious about who they’re doing business with; they need to know the policies, controls, and processes outsourced providers have in place to protect their, and their customers’, information. If your vendor is breached, your network or your data might also be breached.
Here, then, are six things you can do to properly and effectively manage your security risks—and avoid becoming the next Home Depot—when working with third-party vendors.
- Do your homework. Always take time for the extra work at the front end. Check a vendor’s references, find out who the vendor has worked for and is working with, and spend an appropriate amount of time interviewing and getting to know the vendor. You should also identify any other parties associated with the vendor, and know if they subcontract any work or services you’re requesting from the vendor.
- Establish and follow your own policy. Every company should make the effort to draft and implement a third-party management policy, one that you can follow whenever you’re considering hiring an outsourced provider. The policy can outline—specifically as it relates to security—what you require of the vendor, what you’ll ask of the vendor, and what you’ll do to make sure the vendor is meeting your expectations.
- Validate vendor security policies and controls. Of course, ask the vendor to produce its IT and security policies, and make sure they’re updated and that they meet your standards. Also, review the various security controls the vendor has in place to protect both you and them from data breaches. This is critical, of course, if the vendor has access to or connects to your network; the appropriate safeguards are absolutely necessary.
- Ask to review a recent security assessment. Have the vendor’s security polices and controls been audited? Has the vendor undergone a formal vulnerability assessment? The only way you’ll truly know your risk exposure is to clearly understand the vendor’s risk and the effectiveness of the controls in place to minimize that risk.
- Lay it all out in the contract. Before you sign, be as specific as possible. The contract needs strong security language, it should be clear in compliance and best practice standards for the vendor, and it should include specific requirements such as background checks and regular security training for vendor employees. It has to be in writing so if the vendor doesn’t hold up their end of the deal, you’re protected on a legal front.
- Plan for the hack. As we said, large-scale cyber attacks are becoming the norm. It’s critical that you and your vendor have a solid process in place to follow in the event of an attack. Assign roles and responsibilities, communicate those responsibilities clearly, and test the plan for its effectiveness. And, of course, back up your data and information offsite and make sure it’s accessible in all scenarios.
Bottom line, you’ve got to do your due diligence. At Carson Inc., before we outsource IT services, we check references, we verify security policies and controls, and we protect ourselves with specific contract language.
As you manage your IT security risk, it pays to be cautious and thorough, especially when considering and working with third-party vendors.
Diane Reilly is the Vice President of IT Services for Carson Inc., a Maryland-based IT services and security firm. For more information on Carson Inc.’s security services, please email firstname.lastname@example.org or call (301) 656-4565.