Level 3 Communications

Dale Drew

Cybersecurity: Not Just an Inside Job

If you think cybersecurity is just about ensuring that your networks, systems and data are protected against attacks, think again.

Safeguarding your internal IT infrastructure and end-user devices is certainly a huge part of building a strong security program. But it’s also important to make sure that the outside entities your company deals with are also doing their best to safeguard their own environments.

At any given time, external enterprises might be working with dozens of vendors, third-party service providers and other business partners. Given the fact that many electronic transactions and collaborations are likely to take place with these partners, IT and security executives need to make it a priority to vet these companies as part of an overall security strategy.

In fact, before jumping into a close relationship with any outside parties, it’s crucial to assess their security profiles. Here are some productive steps to take before forging a partnership with an outside organization:

  • Maintain a security program that vets vendors prior to onboarding. This goes for all types of entities that could potentially have access to your network and systems — not just IT and communications providers.
  • Request background checks. You should insist that anyone who will have access to your IT resources has been screened by a proper third-party agency. Similar to vetting internal employees, making sure your vendors have screened their employees will ensure that an outside user does not have a criminal history indicating they will be a threat to your business.
  • Be sure that any contractors or other individuals working on your IT infrastructure or who have access to your data possess the proper certifications, and monitor partner actions to ensure that security policies and procedures are being followed.
  • Minimize network connectivity and access to information. Just because your company has formed a close relationship with a partner doesn’t mean that this entity needs to have continual access to your IT resources. Provide access on an as-needed basis, and be certain that this is made clear in the initial contract so as not to create issues at a later date.
  • Provide education and awareness to vendors and other partners. In the same way you inform internal employees about cybersecurity requirements, you need to do so with outside partners as well.

Organizations that don’t work to ensure their partners are secure run a number of risks. In many cases, these outsiders will have access to your network, data and online sites. Because they are not employees of your company, they can treat that access with much less care and discipline than your own team.

Also, vendors tend to bring their own devices into your environment, which are not always protected in the same way your organization’s systems are. This means that these devices might be vulnerable to hacking, malware or other threats.

Furthermore, sometimes it’s difficult to tell the difference between employees and vendors/partners from an access perspective, so you might not be able to “segment” access to critical business data.

Cybersecurity needs to be a much more holistic effort in this age of the digital business. By taking steps to ensure your partners are doing all they can to protect their information, you can also enhance your own cybersecurity program.