When you hear popular cyber security tips, it’s usually to enable MFA, use complex passwords, and ensure your business has appropriate cyber insurance. All of these are critical to mitigating the risk of a security breach. However, there’s also a less common tip that many small and medium businesses often overlook: question your third-party vendors.
Believe it or not, but your HVAC, building elevators, and even gym cards could be the reason your company falls victim to a cyber-attack. These third-party vendors are essentially shortcuts directly into your IT infrastructure. As soon as a hacker breaks through their systems, yours could be next. If your business lacks essential safeguards, a cyber security breach is imminent.
How it Happens:
If a vulnerability is available, a hacker will find it. It could be in your system or your vendor’s system, but you’ll be attacked regardless. Cyber attackers constantly adapt and find more efficient ways to succeed in their hacks, which are now fully automated, mass-produced, and mass distributed. It only takes one system and a few minutes to compromise an entire network.
The infamous 2013 Target breach is an eerie example of just how powerful these attacks are. 40 million credit and debit card accounts were compromised, all because of a single compromised laptop of an HVAC technician.
While it’s vital to ensure your business is protected, you can’t trust that your vendors are doing the same without proof. It’s worth the extra work to require and verify that your vendors follow standard cyber security protocols.
What’s at Risk:
When your IT systems are compromised through third-party vendors, not only is your information exposed, but those elements can be potentially manipulated by hackers. For instance, let’s say your building’s security company is unknowingly the victim of an attack. According to IBM, it takes on average 280 days to contain a breach. That’s plenty of time for the attackers to gain complete control of your other networked systems as well, including security cameras, electronic locks, alarm systems, controls, and more.
Buildings and infrastructure pose a major threat if not secured properly. Building management systems (BMS), elevators, HVAC systems, and practically anything tied into your network should be seen as a high-level risk. It’s not hard to imagine the dangerous outcomes of hackers obtaining control of any of these systems.
Other vendors to watch out for are “smart” devices such as door locks, digital locks, gym equipment, and signage. Digital lockers, similar to Amazon Hubs, are also targets. Something as mundane as your printer vendor could accidentally expose your business. Would you want copies of all printed, scanned, and faxed documents to be accessible to strangers? Unfortunately, that’s a reality if your printer is compromised.
Why it Matters:
Sometimes it’s hard to grasp the magnitude of what happens after a cyber-attack. There isn’t a magic off-switch that your IT can flick that will make everything stop. The complex layers of your IT systems can all be attacked at different times and in different ways.
That’s not to say any equipment outside of your IT system is safe. Machinery and manufacturing equipment are specifically targeted due to this lack of security measures. Through the machinery is complex, the computer is basic. If a hacker gets in, they have access to motors, switches, and more.
The recent attack on a Florida water-treatment plant illustrates why it’s so important to ensure your vendors are secure. It’s not just data that can be exposed or destroyed, countless people’s lives could be at risk. Hackers gained access through third-party software that was installed on the facility’s computers.
How to Prevent it:
It’s common for many vendors to choose convenience over security. If your options are limited and you are forced to choose a vendor with less-than-stellar security, it’s now your job to make them secure. Immediately talk to your IT team on how to safely accommodate them without compromising your safety standards. An enormous amount of frustration and risk can be mitigated by involving your IT company at the start of a vendor project, rather than as an afterthought. It may be a few extra steps, but it’s more than worth it to validate your systems are secure.
Another step to take with your IT team is to discuss the best practices to follow for your business’s security. Each situation and business is unique, so your IT provider should be able to give insight as to what vendors and vendor products are riskier than others. It is ultimately up to you to decide on a cyber risk strategy that works for your business.
Finally, your overall risk level can be greatly reduced by rethinking how you approach your technology. IT security shouldn’t be the last thought, rather you should view it as a part of your company’s culture. Investing in a strong security culture in your company pays dividends. When you cultivate a work environment that minimizes risk and maximizes security, the payoff is priceless.
Have questions about securing your vendors or mitigating your risk? Reach out to our team at [email protected].