{"id":2893,"date":"2019-04-25T10:01:05","date_gmt":"2019-04-25T15:01:05","guid":{"rendered":"https:\/\/www.stratospherenetworks.com\/blog\/?p=2893"},"modified":"2019-04-25T10:11:49","modified_gmt":"2019-04-25T15:11:49","slug":"key-questions-to-ask-your-vendors-about-their-cybersecurity-practices","status":"publish","type":"post","link":"https:\/\/www.stratospherenetworks.com\/blog\/key-questions-to-ask-your-vendors-about-their-cybersecurity-practices\/","title":{"rendered":"Key Questions to Ask Your Vendors about their Cybersecurity Practices"},"content":{"rendered":"

\"\"<\/a>Last month, the supply chain company Asus revealed hackers had broken into their servers and malicious code had been pushed out to its customers as part of a supposedly safe routine software update. Kaspersky Labs<\/a>, who detected the attack, estimated 57,000 people received this update. This recent supply chain compromise is an example of how sophisticated and relentless hackers can be, even when protocols and firewalls are implemented to protect against such an event.<\/p>\n

How common are vendor related supply chain cybersecurity attacks?<\/strong><\/h4>\n

This incident is just one of many examples of vendors being susceptible to hackers and causing supply chain risk for their customers. According to the Opus and Ponemon<\/a> study of more than 1,000 CISOs and other security and risk professionals across the United States and the United Kingdom, 59 percent of companies said they have experienced a data breach caused by one of their vendors or third parties. The percentage is even higher in the U.S. at 61 percent. What is even more surprising is that 22 percent of respondents admitted they didn\u2019t know they\u2019d had a third-party data breach in the past 12 months.<\/p>\n

Although your business has worked hard to effectively safeguard your own IT infrastructure, if your supply chain is not properly protected, outside vendors represent a disproportionate level of risk to your organization. Vendors and suppliers can have direct connections to your company\u2019s networks or systems, including ordering, billing, process management systems, and more. Knowing this, it\u2019s important to understand what precautions your vendors take to protect your information. Here are questions to ask your current and prospective vendors about safeguarding your data from cyber-attacks.<\/p>\n

Key Questions to Ask your Vendors<\/strong><\/h4>\n

1. Does your organization have policies and procedures which clearly define how to prevent and detect security incidents should they happen? <\/strong><\/p>\n

The first step should be identifying if the vendor is taking active steps to prevent, detect, and contain security incidents when they happen. To prove this, they could provide the policies and procedures that they follow to keep your data safe. Ask about the details of their cybersecurity programs and methods that are used to prevent and detect security breaches.<\/p>\n

2. Does your company have a dedicated security team? <\/strong><\/p>\n

Large vendors typically have dedicated cybersecurity teams and have complex security measures, but this might not be the case if it\u2019s a small company. Some companies cannot afford in-house security teams, so it\u2019s important to see if they have outsourced to a third-party vendor<\/a>. If they are using a third-party vendor, ask for details and references. Additionally, it\u2019s important to know your point of contact in the event of a cybersecurity breach to efficiently obtain updates and a course of action.<\/p>\n

3. What security standards and\/or frameworks do you follow? <\/strong><\/p>\n

There are multiple standards companies must adhere to depending on their industry. Some examples are HIPAA, GDPR, PCI, SOX, and DFARs. Depending on the type of service they are providing, the vendor may have to follow similar standards as your company. For example, HIPAA compliance contains standards that must be applied to safeguard and protect electronic Protected Health Information (ePHI) when it is at rest and in transit. These rules apply to anybody or any system that has access to this information. If the vendor is dealing with ePHI they will also need to make sure they are meeting the technical, physical and administrative safeguards that come with HIPAA compliance. For non-regulated industries, it\u2019s still important to understand if the vendor has a systematic approach to security, and what framework they are using, such as NIST, CIS, or ISO, to name a few. Ask the vendor what risk framework they adhere to. Finally, don\u2019t be afraid to ask for proof or documentation of their ongoing security endeavors as they relate to this framework.<\/p>\n

4. Do you have security\/cyber liability insurance? <\/strong><\/p>\n

According to Statista<\/a>, The estimated value of cyber insurance premiums worldwide in 2020 could be 7.5 billion.<\/p>\n

Having cyber liability insurance<\/a> shows the vendor is taking a proactive approach to security and safeguarding your information. This type of insurance covers property losses and liability that might occur when an organization participates in tech-facilitated activities, such as collecting data or selling things online. The coverage typically includes but is not limited to liability for a data breach in which sensitive information gets exposed or stolen by cybercriminals.<\/p>\n

Cyber liability insurance can cover expenses related to the following:<\/p>\n