IT Vendor Danger

How thoroughly did you investigate the vendors for your IT resources? You’ve more than likely reviewed them for what their product does:

• Does the VOIP system make calling easier? Yes! You made sure it does before you bought it. 
• Does the new software help you do you work 30% or 50% faster? Yes, You researched this thoroughly and even spoke with current users. 
• Does the video security system detect intrusions faster with better picture clarity? Yes, you saw a great demonstration with your own eyes.

But did you review your vendors for their security practices? Did you ensure that installing their systems won’t open up holes in your own security, or introduce other new threats into your own network? Probably not, and that is where the IT Vendor Danger lies.

Where the IT Vendor Danger Comes From

Almost everything you add to your business these days is going to need to use your IT resources in order to work effectively. For example, your VOIP phone system relies on your network to transmit and stores its data, and your Point of Sale systems (or your video security system, or your specialized medical equipment, or your scientific testing equipment or whatever other systems you need to run your business) are all relying on your office network as well.

The IT vendor danger begins when your vendor installs their systems. They will very often need to make changes to your network to allow their specialized communications to travel into, out of, and through your network. And it’s through these changes, and the holes that they create, where problems happen, because very often, vendors and manufacturers are not as interested in security as they are with making a sale.

Bots are constantly scanning the internet for open ports in firewalls for known types of systems. Once an open port is found, default credentials are tried (as well as simple or common usernames and passwords). If access is gained, the hackers can install viruses or ransomware, steal data proprietary company data, steal customer’s financial, identity or medical data, monitor your communications, or a variety of other ways that could damage your company, your business, your vendors or your customers.

Non-IT Vendor Dangers

Not all vendor danger comes from IT vendors. There’s plenty of opportunity for non-IT vendors to do damage to your business as well. All they need is access to your IT resources, or to your physical building. You might not think of your bookkeeper or CPA as a threat, but if their security policies are not rigorous enough, the next time they log into your Quickbooks account remotely, they might bring a malware with them.

You probably don’t think of your maintenance staff as a threat, either, but they (or any other visitors to your office) can harm you just as badly. Imagine that a computer is left logged in after hours. Your outsourced maintenance staff spots the unlocked PC and takes just a few minutes to check his or her email, to play a game, visit a website, or to insert a thumb drive to view some photos. Ransomware or other malware could easily be transferred to your network.

This open computer could also be used to download customer data, vendor data, or other proprietary company data. Or just as easily, untrustworthy vendors could walk off with physical computer hardware, such as thumb drives, external hard drives, laptop computers, or even desktop PCs.

All of this boils down to one thing: You need to find a way to ensure that the vendors you are working with not only have cyber security practices that are at least as strong as yours, but that they are also trustworthy people.

How To Protect Yourself

So what can you do to protect yourself? Beyond the very basics, like changing usernames and passwords from the default, changing the default ports in your firewall, and keeping all software updated, it starts with choosing your vendors carefully. Make sure your vendor agrees to all of the following:

• Agree to Your Cyber Security Standards: Make sure they agree that abiding by your Cyber Security Standards are a requirement of the engagement. 
• Agree To Work With Your Cyber Security Staff: Your Cyber Security staff, whether in-house or outsourced, should be in charge of any changes made to your network, and should be aware of all of the requirements for their systems.
• Show You Their Risk Assessments: Every qualified IT vendor, regardless of the services they sell, should be able to provide you their own Risk Assessments. If they don’t know their own vulnerabilities, you can’t depend on them. 
• Cyber Liability Insurance: Before hiring a vendor or buying their product or service, ask to see their Cyber Liability Insurance policy. If anything goes wrong, you will want to know they have the resources to fix it.
• For Medical/Health Businesses, Fill Out a BAA: If your company is required to abide by HIPAA, then all of your vendors should complete a BAA: a Business Associates Agreement. Talk with your Regulatory Compliance expert for more information.

Start Here

Here at Digital Uppercut, we help our clients navigate and protect themselves from all sorts of dangers, including the IT Vendor Danger. If you have never considered the risks built into working with other outside IT vendors for your VOIP, Security, specialized software or specialized hardware systems, then it’s time that someone review your current situation and fix the problems that are likely to be there. Contact us online or call us at 818-913-1335, and let’s work together to keep you and your company secure.