Are Your Vendors Putting Your Company’s Data at Risk?
October is National Cyber Security Awareness month. The vendors your business works with have access to your sensitive data. Is your business taking the right steps to ensure that data is secure? This is part 14 in a series of blog posts we will be publishing on various topics aimed at educating you on how to stay protected on today’s Internet landscape.
The vendors that you rely on for services and support are probably a key part of your business success. They may also present a security threat since your security is only as strong as theirs.
One quarter of small- and medium-sized business owners recently surveyed by Symantec for its 2014 Small/Medium Business Mobile Survey said the information security policies of a vendor, such as a CPA or payroll provider, do not influence their vendor choice. Among the smallest businesses, the figure is 44 percent.
Ensuring that your vendors take security precautions to protect the information you share with them is an important business practice. While you cannot control what happens on a vendor’s premises, you can take steps to ensure that the vendors you choose will work to keep your data secure. Ask these four questions to evaluate your vendors’ security practices:
How do you protect customers’ information?
Ask all potential vendors about their security policies. Be sure they have strong processes for protecting information — including data encryption — both during transmission and in storage. They should also have secure offsite data backup. Hard copy files should be kept in a locked facility or storage area with restricted access. Bring your technology resource — a vendor or internal person who focuses on technology, if you have one — into the discussion.
Ask about the hardware and software your vendors use to protect their devices. Computers and servers should have up-to-date firewall protection, business-grade antivirus and anti-spyware software, and current software security patches. Any mobile devices used to access information should also run software to protect against malware and privacy leaks. Depending on the type of vendor, the company should also have clear policies for file retention and destruction.
Are your employees screened?
Ask vendors about their screening processes for employees, such as criminal background checks and past employment verification, and their ongoing practices to protect against employee fraud. Also find out what processes are in place to ensure that only authorized employees have access to your data. Access should be restricted to those who need it to perform their jobs, whether through password-protecting files or locking facilities where data is kept.
How are employees trained?
Like your own staff, your vendors’ employees should be trained in best security practices. These include creating long, complex passwords that combine letters, numbers and special characters, and changing those passwords frequently. Employees should also be trained to spot suspicious emails and to avoid clicking on links or downloading files from unknown sources.
Find out whether employees are allowed to access customer-related information remotely and, if so, what the guidelines are. Remote access should be enabled through a virtual private network (VPN), which provides a secure “tunnel” through the Internet between a device and a company’s network. Any devices used to access data remotely should run antivirus software.
Will my data be shared with third parties?
It is common for certain types of vendors to outsource some of their work. For example, a CPA firm might outsource some of its bookkeeping or tax preparation services, while an insurance firm might outsource data entry or invoicing. Ask about the third-party relationships your vendor may have, what kind of access their partner companies will have to your information, and how your vendor evaluates the security policies of its partners.
Along with carefully evaluating vendors’ security practices, be sure security remains a top priority inside your company. Symantec offers powerful protection for devices and data through Norton Small Business, which secures computer and mobile devices at businesses with fewer than 20 employees, and Symantec Endpoint Protection Small Business Edition, which protects desktops, laptops and servers at companies of 20 or more employees. Begin strengthening the defenses of your devices and data so you can work with confidence.
This is part 14 of a series of blogs for National Cyber Security Awareness Month.
For more information on various topics, check out:
5 Ways You Didn't Know You Could Get a Virus, Malware, or Your Social Account Hacked
How To Choose a Secure Password
How To Avoid Identity Theft Online
How To Protect Yourself From Phishing Scams
How To Protect Yourself From Cyberstalkers