Blog - FTC and SBA Guidance on Cybersecurity - Vendor Security

Few businesses exist in a vacuum. Companies regularly partner with outside entities to provide services such as human resources and IT support. This allows businesses to leverage expertise that they choose not to build in house - often providing a less expensive and higher quality service then could be built internally.

These partner relationships come with risk. The retail giant, Target, was the victim of a mega-hack that cost them hundreds of millions of dollars. The hackers did not attempt to directly breach Target but rather routed their attack through the retailer’s HVAC service Fazio. Fazio was allowed access to Target’s network to support their maintenance contract. Once hackers got into the maintenance company’s network, they then hopped over to the Target network and did their damage.

Be sure you have protection in place to address the risk associated with vendors and other third party entities.

  • Put it in writing. Be sure that contracts include security provisions, expectations, and responsibilities. Expectations should include a named head of cyber security and regular evaluation of their security program.

  • Verify Compliance. Enact processes to ensure the third party is compliant with these security provisions.   

  • Control Access. The security tenet of minimal access should extent to cover vendors as well. Be sure to understand, and enforce, the minimum level of access necessary to meet the contracted services.

It can often make sense to outsource services that can be done cheaper, or better, by a third party. Just be sure that your business is aware of the associated risk - and put controls in place to protect yourself.——————————————————————————————-

The Federal Trade Commission and Small Business Administration have collaborated to publish guidance (https://www.ftc.gov/tips-advice/business-center/small-businesses/cybersecurity) for these companies. This guidance is a great place to start for business leadership that is worried about cyber issues but aren’t sure where to begin.

North Wonders has produced a self-guided security assessment tool based on the SBA guidance referenced above. This tool (https://www.northwonders.com/offering/#self-guided) allows small businesses to quickly see their cyber hot spots and get actionable guidance on correcting any issues. For more information please contact us at Info@NorthWonders.com.