Almost every day there is news of yet another security breach. Yet still too many organizations assume they are immune from attack because they practice their own ‘good hygiene’ when it comes to internal security. Time and time again, however, companies are breached through the security deficiencies of the vendors they have chosen. High-profile breaches at companies like Target and The Home Depot should warn us all of the dangers posed by some vendors.
As anyone can tell you, a chain is only as strong as its weakest link – and the same thought processes should apply when choosing a vendor. Target, for example, was breached through its HVAC vendor.
Sean Sullivan, a security expert writing for SC Magazine, warns that cybersecurity standards should be added to the usual checklist of questions you may have for a security vendor. While it is not always easy to find out which companies follow security best practice, these five areas should definitely be considered.
Right from the start, cybersecurity concerns should be shared with any potential vendors. Let them know the importance to your company of keeping data secure. To start the discussion the question can be as simple as: “How will you keep my data safe?”
The next area to discuss should be about the vendor’s knowledge of phishing scams. This is one of the most common ways of gaining access, so any vendor should know at least the basics of what to look out for: suspicious emails with strange attachments, or asking for personal information. It’s generally a good sign if a vendor has its employees trained in email best practices.
After this, you should find out how the vendor’s own internal information is managed. For example, does it use password managers? What are its password policies? How is company information managed? Is company information stored in a secure manner? And do employees access company information through external devices?
The next area to flag up is a company’s online presence, and whether it even has one. Get a feel of how its website (if any) is managed. For example, does the ‘contact us’ form use https or http? It is important to remember, though, that this is only an indicator. Simply, the presence of a security badge does not mean the company necessarily follows best practice.
Finally, you should trust your instincts. Take into account the organization’s credibility: is it an established organization or a one-man band? Is there any negative (or positive) feedback on the company from previous customers? If it’s a toss-up between two different companies and one just ‘seems’ more secure, trust your instincts.
The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: “Security is not a product, but a process.”