You’ve heard the story of Target’s massive data breach in 2013, but did you know the retail giant was attacked through an HVAC subcontractor’s stolen credentials? The breach exposed 40 million customers’ credit card data and resulted in a settlement for $18.1 Million.
Though the Target scandal happened almost a decade ago, small and medium businesses continue to face similar cybersecurity risks. Vendor management may not be a cyber vulnerability you’ve considered, but the fix is well within your reach.
Companies face scrutiny when applying for licensure, insurance, a new lease, or utilities. Firms look at credit history, financial stability, and, increasingly, security posture. That’s pretty normal for large companies or agencies. Smaller businesses, however, are more likely to neglect this critical step or only screen for finances.
What’s the risk? Just like Target, you could be an unwitting victim if your vendor’s hack reveals log-in information for your company or if you share any kind of technology integration. You could even experience cyber risk if a critical service supplied by the vendor, like internet access or an email server, is unavailable.
Beware of common blinders
When your business margins are lean, there is an allure to go with the vendor offering the lowest rate. Or one who can get the job done the quickest. Before you jump at these offers, make sure the vendor isn’t cutting corners and exposing you to potential risk.
There’s a reason why business-critical services are often dominated by big brands: any level of risk isn’t worth it. Point-of-sale systems, for example, to process customer credit card payments, have just a handful of market leaders. These big firms face increased scrutiny of their security and vendor management policies and often are the first to follow industry standards or certified processes for cyber security.
The quick fix
If you haven’t been screening your vendors, there’s an easy fix: Start screening. It’s never too late to ask current vendors to answer basic questions about their Information Security (InfoSec) policies and proof of cybersecurity insurance.
Consider asking screening questions such as:
- What kind of data are you storing? Do you have a data backup? How long does it take for you to restore data via the backup?
- How do you protect data?
- What kinds of access control do you have for employees? Do you require a dual-authentication log-in?
- What are your privacy policies?
- Do you have a security response plan? How often do you review or practice it?
- Do you have cyber insurance coverage?
- Does your policy cover us if your security incident impacts us?
Big firms may insist on rigorous screening before even considering a vendor. Small businesses don’t necessarily need such an extensive or formal process. Minimally, all companies should have a questionnaire or screening interview to collect enough information to make an informed decision about conducting business.
What if your vendor doesn’t have any InfoSec controls or cyber insurance? Depending on their role as a vendor and your company’s exposure to risk, that could be a deal breaker or no big deal.
Never say never
As a business leader, you make the final call on vendors. We advise our clients, “Risk management is a decision-making process. Understand the implications of your decisions.”
In other words, you may comfortably say yes to a vendor with no cyber insurance if they won’t ever log in to your system, like the landscapers that cut the grass around your building or the folks who deliver bottled water. You can even say yes to a vendor with some level of risk that has access to your data but do so with eyes wide open and a plan to monitor access.
A final word
They say you are judged by the company you keep. As a business owner, reputation is always an important consideration, and vendor management is a risk you can control. Use a simple screening process to give yourself the information necessary to make an informed decision on associating with each of your vendors.