Know Thy Vendors

One of the most important things to consider when dealing with the issue of cybersecurity does not even involve your own direct network security.  It involves your vendors.  Those companies and organizations that help you run your business in an efficient and cost effective manner.  Those little “helpers”, however, can also be a huge threat vector to your organization.  In the world of cybersecurity, you are only as strong as the weakest link in your data chain.

Many companies understand that they need to take their own security very seriously.  However, they do not understand that their vendors’ security is extremely important and often overlooked.  The ease, convenience and cost effectiveness of outsourcing certain business functions frequently overshadows the potential pitfalls lurking in using outside vendors.

While the “fault” of a breach may lie with one of your vendors, the ultimate “cost” of the breach will fall squarely on your shoulders.  What do I mean?  Customers and clients usually don’t care that the company you use for your mail services was the entity that was breached, it affects them because of their relationship with you.  Therefore, they blame you.  Do you know the name of the HVAC vendor that caused the Target breach? No. You only know that Target was breached.  Therefore, one of the most important things you can do for your company when addressing cybersecurity is to perform the appropriate due diligence on the vendors you use.

Cybersecurity is not something you can think of in a linear way.  It is a spider web with tendrils that are everywhere.  So in addition to robust IT security systems, employee training, purchasing cybersecurity insurance policies, and developing a thorough data breach response plan, any company that takes cybersecurity “seriously” must also vett its vendors. In the current business climate, I cannot think of a single organization that doesn’t provide some sort of data or systems access to a third-party vendor. Those vendors can include accountants, building managers, law firms, consultants and (of course) any data storage or cloud providers. Interestingly, the recent Verizon breach that caused Verizon users to change their PIN numbers was as a result of a Verizon vendor putting information into a cloud storage area and incorrectly setting the storage to allow external access.

Vetting your vendors can range from getting a tour of the facility to a full scale audit of their security systems and protocol.  You need to determine which level of review is appropriate based on the data the vendor has access to through your systems and the level of control they have over that data. A good place to start is understanding your systems, the data you store, and the technology used to allow the vendor access.  Once you have this base knowledge, you can better formulate questions that queries your vendors cybersecurity “maturity” and whether you need to delve further into their systems or use them at all.

Remember too that you can use cybersecurity as a bargaining chip.  Why would you use a vendor who has the cybersecurity maturity of a 3 year old when you can get a full blown adult?  Some of this will come down to cost.  A smaller vendor can be a less expensive option, but the corresponding trade-off is that they may also have less security (although small does not always correlate to less security).  Understanding your systems and exactly what you are engaging the vendor to do and what type of data they will have access to can be the determining factor in whether you need to pay for the Lexus or if you only need a good Honda.

Finally, any agreement with your vendor should be memorialized, including your understanding of their cybersecurity maturity.  The contract should also clearly delineate responsibilities, liabilities and risk mitigation factors.  Once contract terms are finalized, you should develop internal guidelines that match your vendor contracts and detail how you shape the relationship with all future vendor contracts.  Continuity and dedication to your cybersecurity program is key when another organization is looking at your cybersecurity maturity (because you don’t want to be the weak vendor for your own clients!).

Cybersecurity is a problem that is not going away.  In fact, it is growing as cyber criminals become more sophisticated and get better at tricking us, our employees and our vendors.  The only way to truly combat the problem is to understand your systems and your vendors.  Because, in the world of cybersecurity, luck favors the prepared.

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.