{"id":51224,"date":"2024-03-27T06:54:02","date_gmt":"2024-03-27T10:54:02","guid":{"rendered":"https:\/\/centricconsulting.com\/?p=51224"},"modified":"2024-03-27T07:19:10","modified_gmt":"2024-03-27T11:19:10","slug":"smart-vendor-security-is-key-to-avoiding-a-data-breach-in-2024","status":"publish","type":"post","link":"https:\/\/centricconsulting.com\/blog\/smart-vendor-security-is-key-to-avoiding-a-data-breach-in-2024\/","title":{"rendered":"Smart Vendor Security Is Key To Avoiding A Data Breach In 2024"},"content":{"rendered":"

Vendor security management is an important part of your cybersecurity program. In this segment of \u201cOffice Optional with Larry English<\/a>,\u201d Larry shares four areas to keep in mind to prevent a data breach.<\/h2>\n
\n

In 2020, hackers gained access to the data of companies through malware installed on software updates to an IT monitoring software from SolarWinds. The SolarWinds incident is an example of a supply chain attack, where hackers target third-party tools or software.<\/p>\n

And bad news: Supply chain attacks, which allow hackers to target numerous organizations simultaneously, are on the rise \u2014 supply chain attacks increased 26 percent<\/a> from 2022 to 2023. Through a combination of incomplete vendor security protocol and inconsistent compliance, lack of employee education, and other factors, companies are leaving themselves vulnerable to nefarious actors.<\/strong><\/p>\n

Do You Really Need To Worry About Vendor Security?<\/h2>\n

Supply chain attacks and other methods targeting organizations through third-party apps and vendors are widespread for a few reasons.<\/p>\n

Almost every company out there uses third-party tools and software. Mistaken assumptions about vendor security are rife, namely that vendors have the proper security controls in place and that default settings are secure. As a result, organizations neglect to thoroughly vet their vendors or reconfigure the settings of their tools and software \u2014 a common vendor security misstep. Finally, some companies make security exceptions for vendors they want to do business with, ignoring red flags for the sake of convenience.<\/p>\n

Shadow IT is another huge contributor to the need for vendor security risk management. Anytime a company\u2019s employees independently begin using software from an unvetted vendor without the oversight or approval of the IT department, that\u2019s shadow IT<\/a>.<\/p>\n

The problem of shadow IT usually boils down to two issues: Lack of employee education on why shadow IT is a problem and a subpar vendor security management program with an inefficient process for vendor approval.<\/strong><\/p>\n

For example, say an HR department wants to communicate using Slack, but it\u2019s taking a month to get official approval. What happens next? Those employees may decide to go ahead and set up personal Slack accounts (rather than a more secure enterprise account) and begin sharing company data through the insecure platform. That\u2019s a vendor security breach waiting to happen.<\/p>\n

4 Steps to Smart Vendor Security Management<\/h2>\n

Organizations should focus on the following action items in 2024 to protect themselves against attacks through third-party apps and services. Of course, the more mature an organization\u2019s vendor security program, the more minimized the risks.<\/p>\n

Shore up your vendor security management program.<\/h3>\n

Companies need a strong, zero-trust vendor security management<\/a> program that covers the full vendor lifecycle from vendor setting to vendor decommissioning. Too often, organizations do their due diligence at the beginning of an engagement with a vendor but neglect regular monitoring during the contract or decommissioning once the contract ends.<\/p>\n

Why is this important? Just because an application or software passed the security test initially doesn\u2019t mean changes haven\u2019t happened that open up loopholes for hackers.<\/strong> (Case in point: The SolarWinds data breach, which came from a software update.)<\/p>\n

The 2023 State of Supply Chain Defense<\/a> from BlueVoyant found under half of organizations regularly monitor supply chain vendors. Given the growing threat of supply chain attacks, that number should be closer to 100 percent.<\/p>\n

Outline clear expectations around vendor security \u2014 and put it in a contract.<\/h3>\n

At a minimum, with every vendor, organizations should require a formal service level agreement (SLA) that stipulates cybersecurity requirements and expectations. The SLA needs to cover rules around data access, data management and usage, as well as required steps in the event of a problem and non-compliance penalties.<\/p>\n

Then, organizations should be annually reviewing vendor security audit reports, such as the SOC 2 report<\/a>, which assesses how well a vendor safeguards a company\u2019s sensitive information.<\/p>\n

Design a risk-based approach to cybersecurity.<\/h3>\n

A common mistake organizations make around vendor security management is to apply the same process and rigor to every vendor. Instead, companies should take a risk-based approach, weighing the risk of the vendor and the sensitivity of the data it will access and vetting them accordingly.<\/strong><\/p>\n

To assess the risk associated with a vendor, ask the following questions: What type of data will you share with the vendor? If that data was lost or compromised, what would happen? Who would need to be notified \u2014 customers, the state, the federal government or the SEC?<\/p>\n

In short, the sensitivity of the data and the potential fallout from that data being compromised should guide vendor security management measures.<\/p>\n

Educate employees on cybersecurity and vendor risks.<\/h3>\n

Employee education is a common weak link in a company\u2019s cybersecurity program<\/a>. Companies with independent operating groups (which often means shadow IT) especially should put a program in place to educate employees on vendor security and the required process for vetting and monitoring all third-party tools and software providers.<\/p>\n

Employees should be well-versed in all the reasons why shadow IT is problematic (it increases the chances of a data breach and compliance issues, for example) as well as the list of approved vendors and solutions at their disposal. The SolarWinds data breach is only one example of how hackers can target organizations via third-party vendors.<\/p>\n

Simply put, companies can\u2019t afford to be complacent around vendor security management.<\/strong> By prioritizing the action items listed above, organizations can safeguard themselves against costly data breaches that could harm their customers, their bottom line, and their reputation.<\/p>\n

\n

\n
\n User access management isn\u2019t a one-and-done step within your organization. We look at the dangers of user access complacency and how you can combat it.\n <\/div>\n
\n \n\n Get the White Paper\n <\/a>\n <\/div>\n <\/div>\n

This article was originally published on Forbes.com<\/a><\/em>.<\/p>\n","protected":false},"excerpt":{"rendered":"

Vendor security management is an important part of cybersecurity. Larry shares four areas to keep in mind to prevent a data breach.<\/p>\n","protected":false},"author":41,"featured_media":51229,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_oasis_is_in_workflow":0,"_oasis_original":0,"_oasis_task_priority":"","_relevanssi_hide_post":"","_relevanssi_hide_content":"","_relevanssi_pin_for_all":"","_relevanssi_pin_keywords":"","_relevanssi_unpin_keywords":"","_relevanssi_related_keywords":"","_relevanssi_related_include_ids":"","_relevanssi_related_exclude_ids":"","_relevanssi_related_no_append":"","_relevanssi_related_not_related":"","_relevanssi_related_posts":"","_relevanssi_noindex_reason":"","footnotes":""},"categories":[1],"tags":[23785],"coauthors":[15095],"acf":[],"publishpress_future_action":{"enabled":false,"date":"2024-07-22 07:50:09","action":"change-status","newStatus":"draft","terms":[],"taxonomy":"category"},"_links":{"self":[{"href":"https:\/\/centricconsulting.com\/wp-json\/wp\/v2\/posts\/51224"}],"collection":[{"href":"https:\/\/centricconsulting.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/centricconsulting.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/centricconsulting.com\/wp-json\/wp\/v2\/users\/41"}],"replies":[{"embeddable":true,"href":"https:\/\/centricconsulting.com\/wp-json\/wp\/v2\/comments?post=51224"}],"version-history":[{"count":4,"href":"https:\/\/centricconsulting.com\/wp-json\/wp\/v2\/posts\/51224\/revisions"}],"predecessor-version":[{"id":51231,"href":"https:\/\/centricconsulting.com\/wp-json\/wp\/v2\/posts\/51224\/revisions\/51231"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/centricconsulting.com\/wp-json\/wp\/v2\/media\/51229"}],"wp:attachment":[{"href":"https:\/\/centricconsulting.com\/wp-json\/wp\/v2\/media?parent=51224"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/centricconsulting.com\/wp-json\/wp\/v2\/categories?post=51224"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/centricconsulting.com\/wp-json\/wp\/v2\/tags?post=51224"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/centricconsulting.com\/wp-json\/wp\/v2\/coauthors?post=51224"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}