If your business lacks cybersecurity discipline and cybersecurity awareness, that’s obviously a bad thing from a security standpoint. Well, the same goes for the vendors that might do work that in some way touches your network.
Can you confidently eat at a restaurant after noticing that its bathroom is a horrendous mess? Would you take fashion advice from a salesperson who is dressed tastelessly?
Well, if part of your job is making sure that your organization’s network is protected against cyber criminals, you should not work with a contractor that doesn’t demonstrate an appreciation for cybersecurity in its digital interactions.
If a vendor exhibits reckless digital behavior, don’t let that vendor anywhere near your network.
My guess, however, is that most vendors make a habit of demonstrating “reckless” digital behavior. In doing so, they reveal their cyber vulnerabilities during interactions with their customers and prospective customers.
That’s not good.
During a presentation at NSCA’s 2018 Pivot to Profit, Rob Simopoulos of cybersecurity provider Defendify, laid out some of these reckless digital behaviors. Many are so commonly demonstrated that it’s almost like they’re hiding in plain sight within most organizations.
Here are some cybersecurity takeaways from Defendify:
Threat of working with a cybersecurity-ignorant contractor is real
Remember the data breach at Target that affected 41 million customers?
The gateway for that cyber crime was through an HVAC contractor that worked with the retailer, Simopoulos pointed out. The hackers broke into the contractor’s network and pivoted into Target’s. In fact, 60 percent of data breaches are related to a third party, he added.
That should legitimize any concern you might have about vendors’ cybersecurity knowledge and readiness.
Your company and your customers are targets
When Simopoulos asked the Pivot to Profit crowd, mostly people running AV and security integration firms, how many have had a cyber-attack at their organizations over the past 12 months, only a smattering of hands went up. Many who didn’t raise their hands are likely wrong. Simopoulos said that 68 percent of small businesses have experienced a cyber-attack over the last year and 50 percent of these crimes target small businesses.
Cyberattacks are extremely costly
We all understand the value of physical security to protect businesses. Well, the average loss in a physical burglary is about $2,000, Simopoulos said. “In a cyber-attack it’s $117,000-plus.”
You probably don’t realize how much data you need to protect
If you aren’t concerned about your contractors’ IT security, you should be. Simopoulos polled the Pivot to Profit crowd and listed elements that companies need to protect from a data perspective. Really, he said, “it’s anything you wouldn’t be willing to put on a public-facing website,” including:
- HR data
- Financial data
- Employee personal information
- Vendor prices
- Proprietary information (e.g. related to product development)
- Most importantly, customer sensitive data such as IP addresses, network topology, floor plans, MAC addresses, their customer information
“There’s a lot of important information there,” he said.
Cyber-threats come from four major sources
- Cyber-criminals (hackers, pretty self-explanatory)
- “Hactivists” or “hacktivism” (criminals who hack for some political motivation)
- Cyber-soldiers (they might be attacking the U.S., they might be sponsored by some state)
- Insider threat (sometimes it’s malicious and on purpose and other times it’s a negligent insider causing a threat)
Phishing has gotten very sophisticated
While the days of Nigerian princes hitting people up for money via email aren’t over, there are far more advanced methods of phishing today. Simopoulos pointed out that phishing emails have gotten very smart. If your employees get a notification that they’re about to receive a FedEx package, it’s pretty tempting to click for tracking information. If they get a LinkedIn invitation, it’s human nature to accept it.
“Never click on an email to accept a LinkedIn invitation,” Simopoulos said. “Go to the site or the app.”
“These criminals are often very patient. They’ll take time and research your companies and who you’re doing business with,” he added.
The reality is that there is “only one way to project yourself against” phishing, Simopoulos said. “It’s to act like very email you receive is fake. If you weren’t expecting it, you have to verify it.”
Now think about your digital interactions with vendors. How often when you send an unsolicited email do they respond by verifying that the sender is indeed you? Probably not often. But that would be a solid sign that the vendor takes cybersecurity seriously. It might make you feel comfortable doing business with it.