Let’s put aside for the moment the question of whether you’ve taken the time to fully secure your company’s systems or not. At the moment, we’ll just pretend that your company sits within this perfect little vacuum of security where unicorns exist and hackers can’t get within a million miles of any of your databases. Congratulations! You’re still not safe.
You see, there is one thing we’re missing in this perfect little formula: Everyone else. Even in fantasy land, it’s just not enough to secure your own borders. You have to ensure that the people entrusted with your information have also secured theirs. These people are called your vendors. Even the most experienced CIOs may miss the fact that despite their best efforts to ensure that the company is operating with an iron-tight security policy and infrastructure, that company is still only as secure as the vendors it relies on.
Depending on several factors, your vendors and providers may have access to your employee database, your email, and/or your financial information. All of these things can wreak an unfathomable amount of havoc that dwarf the stories told in Homer’s Odyssey. Here’s a case you might find interesting: At the end of 2013, Target — a major retailer in the United States — experienced a data breach that made the country grind to a screeching halt. 40 million credit card numbers were exposed by credentials that were stolen from one of the company’s vendors.
The breach was embarrassing and cost the company over a hundred million dollars. The damage was so extensive that almost a year later they’re still talking about it almost a year later (the linked report is from August 5, 2014). But perhaps the greatest cost that Target had to bear was the loss of trust from millions of its customers. The aftermath of these breaches is never peachy. Taking into account that the breach was actually another company’s fault, where do you think that Target’s customers will point the finger? If your answer to the question was anything but “Target”, then you have an overly-optimistic view of the world.
Yes, if you suffer a similar breach, your customers are going to look at you as the Big Bad Wolf. Your vendor will walk out of this scot-free and you’ll be grinded in the wood chipper before you can say “but I didn’t do it!”
You can’t just stop using vendors, but you do have some responsibilities in seeking out the correct merchants with which to do business with, especially when such business involves sharing customer data or other sensitive information. If it’s something you can’t legally shout from the hilltops (like a credit card number), you should take every step possible to make sure that it’s on lock-down everywhere it’s stored. That is, ultimately, your responsibility.
So, how do you prevent data breaches due to careless vendors? The key to it all is prudence.
First, ask your vendor how they’ll be handling your data. Get all of the details. How is the database encryption handled? What do they need to store? Be aware of what kind of data you’ll be giving to anyone at any time.
Once you’ve gotten an idea of your risk level, assess whether it’s worth sharing information with the vendor based on the severity of a potential breach, should it ever happen. If possible, and if you have a close enough relationship with your vendor, tell them to access your apps through an SSO that you control. You can always use ours.
PerfectCloud, our solution, provides you with an audit trail that will allow you to track where your vendor has been within your systems. The interface will show you what app has been accessed, by whom it was accessed, and when this took place. If someone is there when they shouldn’t be, you’ll know immediately. Once you do, don’t forget to take immediate and decisive action to investigate the deviation from policy.
Through our solution, you’ll also be able to apply granular permissions (i.e. permissions to only a small portion of systems and apps). This will limit the damage that a vendor can do, whether it’s intentional or not.
Don’t let your vendor mistaken this for distrust. It’s just an added layer of security that will work between you and your vendor to ensure that both of you get what you need without having to expose yourselves too much. It’s not like you’re putting up a barrier against your vendor. Rather, you’re making it so that the vendor doesn’t have to worry about being under seige for negligence while shielding yourself from any possible liabilities.
By using PerfectCloud as an intermediary between your vendor and your company, you create an effective way to do business that is both convenient and extremely secure. Thwarting possible breaches has never been easier, and the cost-benefit ratio is feasible considering the risks you would take without such a solution.
In the end, you can either choose to play it safe or play fast and loose with security. We warn you, however, that making the latter decision as a CIO could cost you your job.