Keep Networks Segmented
Hands down, the top cybersecurity lesson that we can draw from the breach is the importance of network segmentation.
Network segmentation seeks to contain the damage caused by a security breach by limiting network access to those resources required by a specific individual or group. Using firewalls and other network devices, network teams architect boundaries between networks that require additional levels of authentication and authorization to cross. This is especially crucial for high-security environments, such as systems that process credit card transactions. Operating a large, “flat” network that lacks segmentation is asking for trouble.
Carefully Vet Potential Vendors
Vendors require careful screening, especially when they will have access to information systems. It’s the business’s responsibility to ensure that vendors exercise at least the same level of security control that it expects from internal staff and resources with similar access.
It may be necessary to supplement the vendor’s security controls with some of the business’s own. For example, if the large retailer had required that vendors implement multifactor authentication for all remote network access, that might have prevented the 2013 attack from succeeding.
Make sure to follow the supply chain as deep as it goes. If a vendor uses subcontractors, they should be subject to the same security vetting and control as the primary vendor. Along the same lines, employees of vendors and subcontractors should undergo the same background checks as the organization’s own similarly situated employees.
Validate Compliance Obligations
Most organizations today work under at least one regulatory regime. In the case of credit card processing activities, the Payment Card Industry Data Security Standard (PCI DSS) has specific requirements for service provider certification.
As a business enters relationships with new vendors, it should carefully document the systems and information that the vendors might encounter during the course of the relationship. If that access involves regulated information, be sure to clear all of the compliance hurdles before granting access.
Retain and Exercise Audit Rights
Technology environments change constantly. Organizations add new systems, modify the configurations of existing solutions and redesign business processes to meet changing requirements. Internally, cybersecurity teams routinely conduct top-to-bottom assessments of the organization’s security posture to identify gaps that might have been created by those changes.
Organizations should adopt the same approach to existing vendor relationships by including a right to audit operations in vendor agreements and periodically exercising that right in some manner.
Businesses may choose to directly perform these assessments, but this can quickly become burdensome as the number of vendor relationships scale. Vendors may also bristle at the notion of undergoing separate audits by a large number of their customers.
For this reason, many organizations choose to include contract language that requires the vendor to engage with a reputable, independent auditor to conduct an annual cybersecurity review and then share the results of that review with all of its customers.
Put Everything in Writing
Strong working relationships between customers and vendors are wonderful, but when it comes to cybersecurity practices, documentation is paramount. Take the time to make sure that vendor contracts and service-level agreements clearly spell out the cybersecurity responsibilities of both parties. These provisions should include the security controls that the vendor must implement, the auditing and assessment procedures, and a requirement that the vendor promptly notify the customer of any potential security breach.
As businesses continue to engage a wider array of vendors, managing those relationships from a cybersecurity perspective becomes increasingly important. Take the time to conduct an inventory of existing relationships and create procedures that structure the cybersecurity onboarding of all new vendors.