In thinking about the recent vendor vulnerability demonstrated by the recent AT&T data breach, announced on March 7, 2023, I’m reminded of the old saying, “A chain is only as strong as its weakest link.” Do you want to know what your weakest cybersecurity link might be? Quite possibly, your integration with a third-party vendor.
Ensuring that third-party vendors keep your users’ data secure requires establishing clear expectations and setting up a system of checks and balances. Follow these tips to avoid third-party vendor vulnerability and ensure you’re not the next company to have to announce you’ve lost control over millions of customer accounts:
Assess your vendor’s security policies: Before selecting a vendor, assess their security policies and practices. Ensure they align with your company’s standards. Ask the vendor to provide detailed information on their security practices, including how they protect data. Inquire how often they perform security audits and how they respond to security incidents.
Include data security provisions in contracts: Include provisions in your contract with the vendor specifying how they secure and handle your data. Start with your NDA. Prominently feature the provision in your Master Services Agreement (MSA), and reference it in every subsequent contact. Provisions and clauses should include the vendor’s responsibility (and liability) for security, as well as specific security measures they take to protect data. Mitigate potential vendor vulnerability by including conditions around data breaches and the vendor’s obligation to report them to your organization.
Require regular security assessments: Include regular security assessments as part of your agreement with the vendor. Additionally, stipulate that the assessments be performed by an independent third-party. These should evaluate the vendor’s security practices, including how they store and protect data. My team at Simeio regularly conducts assessments for our clients, heading off potential vendor vulnerability. Since we focus on Identity and Access Management (IAM), we’re always thinking about how to ensure the security of user data, whether in the workforce or among customers.
Limit access to data: Only give vendors access to the data they need to perform their services. This limits the amount of data that exposed if a breach occurs as a result of vendor vulnerability. For the third-party marketing vendor AT&T hired, did they really need to know your account number and your phone number? Surely one would have sufficed. Luckily, last names, credit card numbers, and social security numbers weren’t part of the data stolen. The breach could have been much worse.
Monitor the vendor’s security practices: Regularly monitor the vendor’s security practices to make sure they’re following the agreed-upon security measures. This includes requesting reports on security incidents or conducting on-site visits. Never discount the importance of identity audits.
Have a plan in place for responding to data breaches: Work with the vendor to develop a plan for responding to data breaches. Include procedures for identifying and containing the breach, as well as steps for notifying affected parties. Once you have a plan, practice executing it. Perhaps start with tabletop exercises to walk all the concerned parties though what would actually happen in the event of a data breach.
By taking these steps, you can help ensure that your third-party vendors are keeping your users’ data as secure as you do. When you reject vendor vulnerability, your attack surface hardens. With every step you take from this list, you strengthen your cybersecurity chain.
- Contributed by Dr. James Quick