[BreachExchange] Don't Make the Same Mistake as Target and Home Depot. Protect Your Data With These Tips

Audrey McNeil audrey at riskbasedsecurity.com
Thu Nov 2 20:10:59 EDT 2017


https://www.inc.com/schuyler-brown/5-questions-to-ask-
before-trusting-a-vendor-with-your-data.html

When it comes to preventing a data breach, you're only as secure as your
weakest link. Even after training your team and investing in the latest
security software, most companies have a blind spot: vendors. You depend on
a variety of vendors to do everything from inventory management to
accounting, advertising, customer support and more. Many of these vendors
have direct access to your most sensitive systems and data. Target, Home
Depot and countless others learned that lesson the hard way.

Most companies are not even aware how many vendors access their data, let
alone which vendors' employees have permission to access it. The result is
thousands of potential points of failure that could lead to a data breach.

What can you do to hold vendors accountable? Ask every vendor these 5
questions to understand how well they protect your data:

1. When was your last penetration test?

Undergoing these tests is painful and expensive, often requiring months of
preparation and more than $15,000 in fees. They do more than identify
critical weaknesses. They signal that management has a degree of humility
and intellectual honesty.

Any team who embraces penetration tests is willing to admit its weaknesses
and actively work to improve them. That approach to security will prove
much more successful over the long term.

2. How often do vendors' staff undergo security training?

Data security is not a static state of affairs. Hackers are working every
day to learn new tactics and your vendors' team needs to adapt to keep up.
That requires ongoing training. We recommend a session every quarter with
tutorials that review real world examples to illustrate how easily a
seemingly small mistake can spiral into a serious problem.

Staff are simultaneously your biggest asset and vulnerability. They can
identify and eliminate phishing attempts that might otherwise have gone
undetected. But, they also succumbed to social engineering in 43% of
breaches last year according to the 2017 Verizon Data Breach Report.

3. How many staff share passwords?

No one likes to admit things like this. It's a purposefully provocative
question that reveals management's approach to security as much as their
actual internal controls.

If they're indignant and claim to "forbid" employees from sharing
passwords, be worried. That means they're out of touch and unwilling to
admit that the real world rarely lives up to policies on paper. It's a much
better sign if they discuss specific tools and tactics they've implemented
to reduce the likelihood anyone shares passwords.

4. Which of your staff accessed my company's data in the past 24 hours?

If a vendor can't answer this question in a timely fashion, they do not
have sufficient monitoring in place to detect and identify the source of a
breach before the damage is already done.

5. Which compliance certifications have you completed?

While compliance is not the same thing as security, it does signal that a
vendor has invested significantly to standardize security practices and
imposes a level of rigor that reduces the risk of a breach.

If your vendor sells you any form of software, ask whether they have
completed SOC2 or ISO27001 compliance. These compliance regimens require
vendors to define and monitor how data is accessed.

Don't just accept vendors' answers as gospel. If they fail to live up to
your standards, insist they remediate the issues by a defined deadline. It
can be costly to change vendors, but that is still cheaper than the fallout
from a data breach.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171102/7aa70af5/attachment.html>


More information about the BreachExchange mailing list