The thought of a vendor breach is terrifying. We engage in vendor relationships because the value proposition is that the vendor will provide us better service and security than we can provide for ourselves, often at a lower cost than we would incur to perform and secure the service for ourselves. We put immense trust in our vendors, yet the news is riddled with stories of data breaches involving trusted vendors.
So, where do we start? What do we do?
Modern vendor management requires a contemporary approach to controlling risk. The following controls, when implemented properly, will reduce a significant amount of risk:
- Multi-Factor Authentication (MFA) — MFA is the single greatest risk-decreasing control you can implement in your organization. Use it whenever and wherever possible, but it must be on all internet-facing apps. The rule of thumb is this: if an application can be accessed outside of your network (i.e., VPN, email, or web portal access), get MFA on ASAP.
- Strong Password Requirements — Even with MFA in place, a strong password is still a must, as it’ll guarantee protection against hackers and malicious software. Also, MFA isn’t always feasible on all applications, so a complex password will double the security.
- Religious Patch Management — If you have a system with software, you NEED to be patching religiously. Falling behind on patches leaves systems vulnerable to known attacks that can be prevented with proper patching.
- Follow the 3-2-1 Data Backup Rule — The 3-2-1 Backup Rule is highly recommended for any organization looking to back up their data. This methodology suggests keeping three (3) copies of your data on two (2) different forms of media and one (1) of those copies being off-site.
- Network Segmentation — The greater the segmentation, the harder it is for an attacker (or malware) to move throughout your network.
- Egress Firewall Filtering — Firewalls, by default, block everything coming in and permit everything to go out. You gain significant control over what resources your internal systems can access when egress filtering is enabled.
Here are a few additional tips to help control risk:
- Log the right activity and establish a baseline on your network. Anything outside of the baseline could be an indicator of compromise. Ensure you have some central logging capability. Central logging capability is not SIEM. It is a place for you to store your collected logs. Make sure this system is a bastion host. Its data may be key in an investigation.
- Have separate user accounts. The ultimate rule is that one user means one account and allows for accountability. All users should be restricted users, especially vendors. If a user is also an administrator, ensure they have a separate, privileged account to perform those administrative tasks. Ensure no one uses service accounts. Service accounts are often administrative in nature.
Confirm each service that needs a service account has its own service account, like how individual users have their own user accounts. Remember, it’s about accountability. - Familiarize yourself with an incident response preparedness checklist. The list should highlight what organizations must have in place ahead of time to ensure the ability to respond to an incident quickly and perform a digital forensics investigation should the need arise.
- Get cybersecurity insurance. If you haven’t already gotten it, please investigate it. Unfortunately, it is a tricky subject since there is no standard. If you haven’t gone down the path of obtaining cybersecurity insurance, ensure you understand the following: What is really covered? What do insurance companies expect from your cybersecurity controls paying the claim? Does your coverage include incident response and digital forensics costs? Ask questions, explore the options. The insurance companies are more than willing to help.
- Familiarize yourself with legal, and not just your legal counsel, but law enforcement. Understand what their capabilities are and what they can provide in an event. Engaging your legal team can help protect your organization, especially if an investigation is needed, and it usually is. Ensure you run all communications through your legal team. Engage with law enforcement. Legal counsel and law enforcement will work with you to determine when to notify customers.
Now that you’ve read a few tips, take a moment to assess your cybersecurity practices.
Can you afford not to control unauthorized access to your valuable data? If you can’t take the appropriate steps to secure your organization now, will you be able to act later as the threat landscape continues to escalate?
Implementing the controls discussed in this article will push your vendor management practices and overall cybersecurity risk mitigation into the stratosphere. It is less expensive to start implementing these controls today versus waiting until an incident occurs, leaving you with the costly decision to implement these controls.
For more information, contact your Account Executive, Reece Simpson, at 605-270-3916 or reece.simpson@sbscyber.com. SBS delivers unique, turnkey cybersecurity solutions tailored to each client’s needs, including risk management, consulting, auditing, network security, and education. Learn more at sbscyber.com.
