{"id":51224,"date":"2024-03-27T06:54:02","date_gmt":"2024-03-27T10:54:02","guid":{"rendered":"https:\/\/centricconsulting.com\/?p=51224"},"modified":"2024-03-27T07:19:10","modified_gmt":"2024-03-27T11:19:10","slug":"smart-vendor-security-is-key-to-avoiding-a-data-breach-in-2024","status":"publish","type":"post","link":"https:\/\/centricconsulting.com\/blog\/smart-vendor-security-is-key-to-avoiding-a-data-breach-in-2024\/","title":{"rendered":"Smart Vendor Security Is Key To Avoiding A Data Breach In 2024"},"content":{"rendered":"
In 2020, hackers gained access to the data of companies through malware installed on software updates to an IT monitoring software from SolarWinds. The SolarWinds incident is an example of a supply chain attack, where hackers target third-party tools or software.<\/p>\n
And bad news: Supply chain attacks, which allow hackers to target numerous organizations simultaneously, are on the rise \u2014 supply chain attacks increased 26 percent<\/a> from 2022 to 2023. Through a combination of incomplete vendor security protocol and inconsistent compliance, lack of employee education, and other factors, companies are leaving themselves vulnerable to nefarious actors.<\/strong><\/p>\n Supply chain attacks and other methods targeting organizations through third-party apps and vendors are widespread for a few reasons.<\/p>\n Almost every company out there uses third-party tools and software. Mistaken assumptions about vendor security are rife, namely that vendors have the proper security controls in place and that default settings are secure. As a result, organizations neglect to thoroughly vet their vendors or reconfigure the settings of their tools and software \u2014 a common vendor security misstep. Finally, some companies make security exceptions for vendors they want to do business with, ignoring red flags for the sake of convenience.<\/p>\n Shadow IT is another huge contributor to the need for vendor security risk management. Anytime a company\u2019s employees independently begin using software from an unvetted vendor without the oversight or approval of the IT department, that\u2019s shadow IT<\/a>.<\/p>\n The problem of shadow IT usually boils down to two issues: Lack of employee education on why shadow IT is a problem and a subpar vendor security management program with an inefficient process for vendor approval.<\/strong><\/p>\n For example, say an HR department wants to communicate using Slack, but it\u2019s taking a month to get official approval. What happens next? Those employees may decide to go ahead and set up personal Slack accounts (rather than a more secure enterprise account) and begin sharing company data through the insecure platform. That\u2019s a vendor security breach waiting to happen.<\/p>\n Organizations should focus on the following action items in 2024 to protect themselves against attacks through third-party apps and services. Of course, the more mature an organization\u2019s vendor security program, the more minimized the risks.<\/p>\n Companies need a strong, zero-trust vendor security management<\/a> program that covers the full vendor lifecycle from vendor setting to vendor decommissioning. Too often, organizations do their due diligence at the beginning of an engagement with a vendor but neglect regular monitoring during the contract or decommissioning once the contract ends.<\/p>\n Why is this important? Just because an application or software passed the security test initially doesn\u2019t mean changes haven\u2019t happened that open up loopholes for hackers.<\/strong> (Case in point: The SolarWinds data breach, which came from a software update.)<\/p>\n The 2023 State of Supply Chain Defense<\/a> from BlueVoyant found under half of organizations regularly monitor supply chain vendors. Given the growing threat of supply chain attacks, that number should be closer to 100 percent.<\/p>\n At a minimum, with every vendor, organizations should require a formal service level agreement (SLA) that stipulates cybersecurity requirements and expectations. The SLA needs to cover rules around data access, data management and usage, as well as required steps in the event of a problem and non-compliance penalties.<\/p>\nDo You Really Need To Worry About Vendor Security?<\/h2>\n
4 Steps to Smart Vendor Security Management<\/h2>\n
Shore up your vendor security management program.<\/h3>\n
Outline clear expectations around vendor security \u2014 and put it in a contract.<\/h3>\n