When it comes to preventing a data breach, you're only as secure as your weakest link. Even after training your team and investing in the latest security software, most companies have a blind spot: vendors. You depend on a variety of vendors to do everything from inventory management to accounting, advertising, customer support and more. Many of these vendors have direct access to your most sensitive systems and data. Target, Home Depot and countless others learned that lesson the hard way.
Most companies are not even aware how many vendors access their data, let alone which vendors' employees have permission to access it. The result is thousands of potential points of failure that could lead to a data breach.
What can you do to hold vendors accountable? Ask every vendor these 5 questions to understand how well they protect your data:
1. When was your last penetration test?
Undergoing these tests is painful and expensive, often requiring months of preparation and more than $15,000 in fees. They do more than identify critical weaknesses. They signal that management has a degree of humility and intellectual honesty.
Any team who embraces penetration tests is willing to admit its weaknesses and actively work to improve them. That approach to security will prove much more successful over the long term.
2. How often do vendors' staff undergo security training?
Data security is not a static state of affairs. Hackers are working every day to learn new tactics and your vendors' team needs to adapt to keep up. That requires ongoing training. We recommend a session every quarter with tutorials that review real world examples to illustrate how easily a seemingly small mistake can spiral into a serious problem.
Staff are simultaneously your biggest asset and vulnerability. They can identify and eliminate phishing attempts that might otherwise have gone undetected. But, they also succumbed to social engineering in 43% of breaches last year according to the 2017 Verizon Data Breach Report.
3. How many staff share passwords?
No one likes to admit things like this. It's a purposefully provocative question that reveals management's approach to security as much as their actual internal controls.
If they're indignant and claim to "forbid" employees from sharing passwords, be worried. That means they're out of touch and unwilling to admit that the real world rarely lives up to policies on paper. It's a much better sign if they discuss specific tools and tactics they've implemented to reduce the likelihood anyone shares passwords.
4. Which of your staff accessed my company's data in the past 24 hours?
If a vendor can't answer this question in a timely fashion, they do not have sufficient monitoring in place to detect and identify the source of a breach before the damage is already done.
5. Which compliance certifications have you completed?
While compliance is not the same thing as security, it does signal that a vendor has invested significantly to standardize security practices and imposes a level of rigor that reduces the risk of a breach.
If your vendor sells you any form of software, ask whether they have completed SOC2 or ISO27001 compliance. These compliance regimens require vendors to define and monitor how data is accessed.
Don't just accept vendors' answers as gospel. If they fail to live up to your standards, insist they remediate the issues by a defined deadline. It can be costly to change vendors, but that is still cheaper than the fallout from a data breach.