Could A Supplier's Cybersecurity Deficiencies Put My Business At Risk?
You pay attention to cybersecurity – your customers and your business depend on it. But, what about your suppliers? Do you know their level of commitment to protecting your business data?
Could their approach to cybersecurity be putting your business at risk?
In this article, we’ll explore how your supplier’s commitment to cybersecurity could impact your business.
As a managed IT support services provider, Kelser works with companies across a broad spectrum of industries. We’ve seen the impact that supplier cybersecurity deficiencies can cause. We’ll explore the potential implications on your business so you know what to look for when selecting suppliers.
After reading this article, you’ll understand why the security stance of your suppliers is as important as your own organization’s tools and how to know if they have the right tools in place to protect your data and systems.
Why Does My Vendor’s Security Matter To My Business?
Your customers will ultimately hold your business responsible if their data is exposed. Their contracts are with your organization and you agreed to keep their data safe.
The customer has no control over which contractors you decide to hire. If their data is exposed by one of your vendors, your business will bear the brunt of customer ire (and potential legal action).
How Can I Ensure That My Vendors Have Strong Cybersecurity Practices In Place?
The place to start is with your contracts.
Make sure that you spell out the cybersecurity requirements for your vendors very specifically in your contractual agreement.
The more detail you provide about these expectations in your contracts, the more secure your data and that of your customers. Ask to see a copy of their cybersecurity policy; if they don’t have one, that could be a red flag.
Related article: 7 Characteristics Of A Successful Cybersecurity Policy
Ongoing risk assessments are another important tool that can be used to keep an eye on your vendor’s continuing commitment to cybersecurity. These can be performed by someone in your IT organization or by an outside provider. While there is an associated cost, it pales in comparison to the cost of a data breach.
What Cybersecurity Tools Should My Vendors Have In Place?
Your vendors are an extension of your business and reflect your values and commitment. At an absolute minimum, any vendors with access to your data should have a cybersecurity policy in addition to the following tools:
Next-generation firewalls ensure that unauthorized traffic doesn’t get to data and infrastructure (both for your suppliers for your business).
Encryption adds another layer of protection when communicating via email, making it harder for hackers to see sensitive information whether it is at rest or in transit.
There is no excuse for not having antivirus software in place. There are many free and low-cost options that help provide an extra layer of protection for data and your infrastructure.
Attacks that could penetrate standard antivirus software can be stopped by anti-malware. It provides a comprehensive and constant view of what is running where across your network. It defends before, contains during, and helps remediate after an incident.
To see potential threats, you have to be looking for them. Ongoing monitoring of infrastructure is an essential to detect unusual activity. Monitoring is a critical step in a comprehensive cybersecurity plan.
Developers often send out updates to patch vulnerabilities (and improve product performance).
To ensure that the latest security tools are in place and that any potential gaps are closed, your vendors need to be committed to installing patches quickly and efficiently.
What Else Is Important For Vendor Security?
Approximately 90 percent of cyber attacks are attributed to human error, making security awareness a vital cybersecurity asset.
An often overlooked cybersecurity tool, employee security awareness training keeps cybersecurity top of mind for all employees, explores the latest threats, and provides tools employees can use to identify and report suspected incidents.
Read this article for an honest cost-benefit analysis of employee security awareness training.
Related article: What is Employee Security Awareness Training? Do I Need It?
What Could Happen If One Of My Vendors Doesn’t Have Strong Cybersecurity Practices In Place?
The cost to your business can be significant.
Here’s just one example:
In 2021, Volkswagen announced that the personal information (including name, email and physical address, and telephone number) of more than 3 million customers was exposed after one of its vendors left a cache of customer data unsecured on the internet for nearly two years.
In 2023, Volkswagen settled a resulting class action lawsuit for $3.5 million dollars.
While this is an extreme case, it provides context for why your supplier’s cybersecurity matters.
What’s The Bottom Line?
In this article, we’ve explored the importance of understanding the commitment your suppliers have to cybersecurity.
We’ve explored why your vendor’s commitment to security matters to your business, how to ensure that your security focus extends to your vendors, which tools they should have in place, and why employee security awareness training is another indicator that vendors take security seriously.
You also know what could happen if your vendors aren’t focused on cybersecurity.
At this point, you may be feeling good about the commitment your vendors have shown to cybersecurity. Or, you may have an uneasy feeling. The truth is that ignoring an uneasy feeling can be costly to your business, both financially and reputationally.
Do yourself and your business a favor and explore your vendor contracts. Make sure they contain language about cybersecurity and your expectation for their behavior.
Wondering if your organization’s cybersecurity tools are up to the latest threats? Click the button below to download a short, easy-to-understand free eBook and learn 10 actions you can take right now to protect your data including:
✔️Updating applications and operating systems
✔️Maintaining current backups
✔️Implementing multi-factor authentication (MFA)
✔️Password protecting mobile devices