Lyndon is Chief Strategy Officer at Pondurance. He specializes in building high-growth enterprise SAAS companies.
getty
Cyberattacks are rapidly growing in size and scope as attackers diversify their criminal portfolios. Attacks against large corporations are now complemented by opportunistic or strategic attacks against smaller businesses. While opportunistic attacks are the virtual equivalent of a company being at the wrong place at the wrong time, strategic attacks are the product of deliberate planning and execution. Whether your business is large or small, cybercriminals or nation-state actors may be directly targeting your business—while simultaneously pursuing your supply chain of partners, vendors and contractors, which, in turn, poses a threat to you.
For example, cyberattackers could infiltrate the IT systems of one of your primary suppliers and gain access to its sensitive customer data (i.e., your data). They could then threaten to expose the data unless your supplier pays a hefty ransom, which puts you at risk. Similarly, they could use that initial access to launch a business email compromise (BEC) attack that convinces your finance team to wire funds to an account controlled by the attacker or pivot into your network using access your supplier may have.
This means it is incumbent upon you not only to ensure that you are protected but also to ensure that the firms you do business with are exercising due care. That means taking a close look at the cybersecurity systems and processes of your partners and vendors. It also means asking serious questions about the cyber preparedness of every company in your ecosystem and the third-party risk to your business. Just imagine you spend a lot of money on your own cybersecurity, only to see your sensitive data exposed due to inadequate security at one of your partners.
So, how do you make sure your partners are maintaining sufficient security? It can be a delicate balancing act. But here are five steps you can take to assess the cyber preparedness of your partners and ensure they’re protecting their companies—and your company—against cyber threats.
1. Encourage 24/7 Monitoring
A great start to any security program is a managed detection and response (MDR) service, which will assist you with monitoring, detecting and responding to threats on a 24/7 basis. Today, there are a growing number of third-party MDR service providers that help organizations continually watch for incoming threats (detection), then act (response) to minimize the damage of any security incidents that happen.
Round-the-clock monitoring is so vital because cybercriminals don’t punch in at 9 and return home at 5. They’re spread across the globe and they work day and night. They work weekends and when you’re sleeping. That’s why 24/7 monitoring is so vital—because it can eliminate blind spots and help you protect your business every second of the day.
2. Require Cyber Insurance
Cyber insurance is an area where companies must take an increasingly hard line. In the new digital economy, partners without cyber insurance pose a risk to themselves and their partners. Purchasing a comprehensive cyber insurance policy can help ensure the survival of a company if its security fails, an attack is successful and large payments are necessary to recover data, restore systems and get the company back on track.
3. Ask About MFA
Savvy companies are doing their own research on cyber solutions and then recommending that all their vendors and partners implement similar solutions. These typically include multi-factor authentication (MFA), endpoint security, disaster recovery and more. MFA is quickly becoming a must-have for every company. More than a million passwords are stolen every week, and most of them find their way into the hands of attackers. So smart businesses are implementing MFA to provide an extra layer of security.
4. Do Cyber-Diligence Assessments On All Vendors And Partners
Conducting a cyber-diligence assessment helps you estimate the scope of damage to you in the event of a breach at a company you do business with. Cyber diligence won’t always give you an end-to-end look at a company’s ability to defend itself against cyber threats, but it should give you a reasonable understanding of that company’s current capabilities.
For example, it will show you how a company is currently monitoring for threats, what kind of response plan it has in the event of an attack and how quickly it can recover if an attack disrupts its supply chain or its ability to get products to market. A proper cyber-diligence effort will raise a number of vital questions—and, depending on the answers, will help you decide who is taking security seriously.
5. Make Sure Your Partners Have An IR Plan
It’s important that your vendors and partners have an incident response (IR) plan in place in case they experience or suspect a security incident. A plan is essential to enable rapid and effective response. It provides guidance in a time of confusion and ensures that the right steps are taken to limit damage. The plan should explain exactly what every employee needs to do in the event of an attack. In addition, your partner should put the plan to the test before it is truly needed via tabletop exercises or more hands-on methods.
Of course, not every company can effectively create such a plan and bring it to fruition. But an incident response retainer can help here. This is an agreement with a specialized incident response provider that entitles an organization to priority support from the provider should a breach occur. It makes good sense to do business with organizations that have this kind of relationship in place.
Final Takeaway
Cyberattacks are at an all-time high. Since 2020, the number of reported cybercrimes in the U.S. is up 300%. The average cost of a data breach in 2021 was $4.24 million. You can’t afford to take that risk. You must ensure that you make every effort to keep bad actors out of your networks—and ensure your partners, vendors and contractors do the same.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
