6 Ways to Stay Secure With Technology Vendors
Data is the lifeblood of any business. Whether it’s information about your customers, employees or finances, data is used to inform decision-making and to power your business.
Yet, as your small business increasingly turns to technology vendors and cloud providers to drive efficiencies, improve productivity and support remote ways of working, it is also exposed to greater cyber risks.
In today’s hyperconnected world, vendors often store or have access to your sensitive information. Even if you run a tight ship when it comes to your cybersecurity, how can you be sure that your vendor security practices are protecting your data against malware or security breaches?
Read on for six ways to protect your business while managing third-party vendor risk.
The first step to protecting your data is to understand what it is and where it resides. From there, you can take steps to segregate and protect it, so that if you’re hacked via a third-party vendor, you’ve decreased the risk of your data being compromised. The Federal Trade Commission (FTC) has published a useful guide on how to take stock of and protect sensitive data in your business.
Whether you’re giving your accountant access to your cloud financing software or a payroll vendor authorization to use your network resources and files, be sure to maintain proper oversight. Use permissions or role-based controls to manage who has access to what, when and for how long.
Go Beyond Passwords
Strong password policies are a given, especially if you’re accessing cloud-based applications and data or allowing third-party vendors onto your network. However, enforcing these policies isn’t easy. Research shows that employees at small and medium-sized businesses often share passwords (30%); use the same password for multiple accounts (25%); or use weak passwords (47%). To protect against password abuse, consider adding multifactor authentication to your systems. This provides an extra layer of security and requires anyone engaging your network to use a temporary PIN or code sent to a registered phone in addition to their password.
Employ Protections for Cloud Data
As more data is being moved to the cloud, many small businesses (68%) assume that cloud services offer better security than on-premise solutions. This isn’t always the case. A staggering one in four organizations experience data theft while using the cloud services.
Part of the problem is that many businesses are unaware of how much or how little security their cloud partners provide and who’s responsible for what. Cloud vendors and their customers share responsibility for securing your data. Yet, any measures taken by cloud providers may not meet your requirements or compliance needs. If that’s the case, you may want to tighten access to sensitive data in the cloud.
In addition to making sure that your cloud provider has stringent security policies in place, don’t ignore your own. Protect your business with firewalls, network encryption, data backups and permission-management tools that restrict access to cloud services to only those with the right credentials. If you don’t have the resources in-house to shore up vendor security, consider working with a third-party risk assessment consultant.
Ensure Security in Vendor Contracts
As you review your agreements, look for information on what constitutes a security breach in the eyes of your vendor, what protections they offer and the ramifications of failure to meet them.
For cloud service contracts, ensure that cloud data ownership and protection is addressed. Every cloud provider — whether they’re hosting your IT infrastructure or providing Software-as-a-Service — should have a security policy in place. These typically address things such as data center protections; network, application and data security; monitoring; patching; vulnerability assessment and management; etc. They should also include a provision that describes if and how your data will be returned to you when your contract ends.
Finally, always follow the “trust, but verify” rule. Put a process in place to review and confirm that your vendors adhere to their contractual security commitments.
Establish an Incident Response Plan
Breaches do happen, so be prepared. In addition to your in-house cyber incident response plan, be sure your vendor contracts include procedures for how your vendors will handle notifications. The FTC outlines other things to do if a vendor has a security breach, such as contacting the authorities, confirming the vendor has a fix and following through with it, as well as guidance on how to notify customers.
The benefits of working with technology vendors far outweigh the risks, but it’s also an important aspect of your business that should not be overlooked from a risk-management perspective. Any major data loss can be devastating. The Better Business Bureau found that only 35% of businesses could remain profitable for more than three months if they permanently lost access to essential data. Given that, making sure your small business is secure should be a top priority.