A little more than a month after Target announced it suffered one of the largest data breaches in history, we now know that stolen vendor credentials were the keys to the kingdom.
So what does this mean for Target and other businesses who rely on vendors to conduct business? Simply, it means that security does not stop where your walls do. Every vendor with some level of access to your data has the potential to be the source of your next breach, and must be vetted accordingly.
Where to Begin
If you’re a Fortune 500 corporation, retailer, financial services firm or healthcare organization, then you need to monitor the security of your vendors. This is often a difficult process that includes:
1. An initial set of scoping questions sent to determine the vendor’s potential risk; typically based on data and network access.
2. A spreadsheet full of more detailed questions that is then sent to the vendor.
3. The vendor supplies their responses, and potentially a SAS70, SOC2, ISO 27001, or other document of their security program.
4. A small portion of these responses are then reviewed.
SecureState is no stranger to this dilemma. We’ve developed vendor assessment programs, as well as assisted clients in responding to security questions. The problem with this is that many of these vendors haven’t undergone this scrutiny before and are typically unprepared for the onslaught of obtusely worded questions provided on a client’s lengthy spreadsheet. If there is no employee tasked with Information Security, then there is no one that speaks the same language as the questions being posed. It’s unclear to both the client and the vendor which security controls are actually in place, and which truly are gaps.
Approaching the Problem
The best approach that we have found is to get security experts engaged on both sides. This means that clients and vendors both need to either hire their own security experts to engage in this process, or contract a 3rd party security expert to engage on their behalf.
Getting both parties on the same page is a good first step. For organizations seeking security information, tracking who has gotten a questionnaire, who has responded, and if all questions got a response is the next task that can become quite overwhelming. Actually analyzing the answers and trying to identify vendors which may pose a great risk is even more difficult.
Automate and Assess
Automating vendor management through a process flow will greatly help you tacklethis problem and quickly identify which vendors pose the greatest risk to your organization. In an upcoming blog, we will analyze the details of how organizations can do this with minimal time and resources.
In the meantime, another important component to managing vendor security is knowing where your data lies. For more information on this topic, download our whitepaper: “Who’s Got Your Data? Managing Vendor Risk”