For many companies, a looming cybersecurity threat comes from the companies they hire to help with day-to-day operations: their technology vendors.
Most companies use technology vendors for a range of critical functions – such as hosting information on the cloud; organizing information and data; conference-room software; and payment software and other tools to interact with customers and employees.
But as their reliance on technology vendors increases, so does the risk, because vendors plug into company systems and information is exchanged between the two. By exploiting loopholes in the vendors’ systems, attackers can access the company that uses those systems.
Here are five ways that cybersecurity experts say companies can guard against cyberattacks originating from vendors.
1. Set up a rigorous review process when hiring vendors
Because vendor cybersecurity approaches are largely out of client control, vetting vendors to ensure they have processes to guard against threats is crucial, says Jadee Hanson, the chief information officer and chief information security officer of cybersecurity firm Code42 Software Inc.
Vendor reviews and questionnaires offer insights into vendors’ threat-mitigation efforts, she says. For technology vendors, she recommends looking at whether the vendor uses a so-called ethical hacking program to ensure systems are continually being tested for vulnerabilities.
After performing an independent vendor assessment, companies can also engage third-party firms to carry out a detailed review of a vendor’s security infrastructure. These reviews can be helpful because vendors may find it easier to open up to a third-party assessor instead of a partner company in their ecosystem, says Craig Robinson, a research vice president at International Data Corp.
"CIOs and CISOs have it in their DNA to not reveal much about their cybersecurity programs," says Mr. Robinson. "It is easier for them to open up with an outside firm that does this on a regular basis."
2. Spell out expectations in vendor agreements, including how data will be shared
Companies and vendors should come to an agreement on how company and vendor systems will work together, including how information will be accessed and shared between the two parties.
Vendors, for instance, might need to access company data for reasons such as tech support, or to perform routine workplace tasks such as payroll administration. A payroll vendor, for example, is "putting all that data back into your general ledger, so you can update your financials," says Avani Desai, chief executive of cybersecurity-assessment firm Schellman & Co. She says companies should look for vendors that use encryption to protect sensitive data "both in transit and at rest."
3. Hire internal assessors to regularly brief directors on vendor cybersecurity programs and vulnerabilities
These assessors can onboard vendors, and then continuously monitor vendors for security protocols and problems, says Ms. Hanson.
The board, Ms. Hanson says, needs a general picture of the vendor cybersecurity program, and they want to make sure there’s somebody on staff dedicated to monitoring it.
4. Carefully guard access to company data from the vendors
Vendors should access company systems on a least-privilege model, in which contractors are able to access systems critical for their work and nothing more, says Ms. Hanson. Two-factor authentication is a given.
While companies may be good at granting access, however, many overlook the need to turn off access to company systems for company and vendor employees who have left, says Frank Dickson, group vice president of the security and trust research practice at International Data Corp. The challenge with employees who leave vendor firms, he says, is that it may not be easy for companies to manually revoke access, given the volume and complexity of vendor systems. Since there may be no trigger event to cut off access, such as termination of employment, the issue is significantly more chronic with them, he says. But technology can help automate the process, he says.
In addition, Ms. Desai says, among the many vendor systems that access a company network, each system should be gated to prevent attackers from easily moving between them. This is achieved by sequestering vendor systems from the main network through additional security controls and firewalls, she says.
5. Empower the chief information security officer and bring security expertise to boards
A key impediment to putting in place a vendor-security program can be company politics. In many firms, cybersecurity is the responsibility of the chief information security officer, but that person often has limited influence on executive teams.
"The chief information security officer, generally speaking, is the least powerful C-level role in the organization," says Rick McElroy, principal cybersecurity strategist for VMware‘s security business unit. When top-level executives are told of the cyber risks and the cost associated with driving risk to an acceptable level, he says, the recommendations of the chief information security officer are often left underfunded. Some top-level executives choose to ignore the findings.
Companies could also look to bring cybersecurity expertise to boards to better respond to risks.
"More security professionals need to be elevated onto boards. This has just started to happen," says Mr. McElroy. "Over the past year and a half, we’re hearing about a lot of folks that are actually able to understand the risk language and then put in a program in place for each one of those risks."