Why cybersecurity is vital during the vendor selection process
Sean Sullivan, security advisor, F-Secure
Security breaches happen almost every day, but what's the likelihood of that affecting you or your business? You might think you're invincible from falling into a cybersecurity trap, especially if you practice good security “hygiene,” but it's crucial to consider more than yourself to rest assured.
Security breaches such as Target and The Home Depot have brought to light the risks that can be associated with some vendors. These attacks have cost each company millions of dollars, and they're still fighting to earn back their customers' trust.
You likely have a list of criteria to check through during the hiring process of a vendor, (e.g. cost, expertise and financial stability), but if you haven't added cybersecurity standards to that list, you should.
Even if you have strong security measures in place, your business' security is only as strong as its weakest link. As we've all learned, Target was breached through its HVAC vendor, illustrating why cybersecurity needs to be an integral part of your conversation during the vendor-hiring process. If a partner or vendor you work with isn't secure, it could devastate your company, affecting your employees, customers, finances and even other partners.
While there isn't a way to push a button to find out which companies follow security best practices, you can get that information by asking the right questions ahead of time. To get started, here are five areas to consider the next time you're going through a vendor selection process:
Share cybersecurity concerns right off the bat.
The first thing to do as you're interviewing vendors is to start the security discussion. Let them know how important it is for your company to keep its data secure. It's as simple as asking: How will you keep my data safe? The vendor should be willing and open to discuss their practices with you, and if they aren't, it could be a warning sign that they aren't the vendor for you.
Ask about phishing knowledge.
Phishing is one of the most common ways for cybercriminals to gain access to private information because it's so easy to execute. The vendor you're speaking with doesn't necessarily need to know the word “phishing,” but they should know what to look for, such as suspicious emails carrying attachments or asking for personal information. Phishing attacks aren't slowing down, so at the very least, it's a good sign if a vendor has trained their employees on email best practices.
During the discussion with your potential vendor, include questions to determine how they internally store and organize information. Some questions to ask include:
- Do you use password managers?
- What are your password policies?
- How are accounts and company information managed?
- Is company information stored in a secure manner?
- Where is it backed up to and how often?
- Do employees access company information through work computers only or through additional devices?
Search for an online presence.
You should do a quick search to see if the vendor has a website and to get a feel for how it's managed. Is it clear that it's maintained and kept up to date? If you find their “Contact Us” form, is it using https or http? Also, take a look at how the website is organized. Does the structure make sense? Lastly, take security badges on a site with a grain of salt. Companies can throw these badges on their site, but it doesn't mean their security practices are award winning.
Trust your instinct.It might seem obvious, but sometimes the best advice it to trust your gut. Take into account the organization's credibility and what their customers have said about them. In the end, if you're comparing two different vendors and one of them seems more secure, trust your instinct.