The 2013 Target breach served as a wake up call for many businesses about the importance of proper cybersecurity practices. Since then, organizations have devoted a lot of time and resources into putting security controls and trainings in the place to better protect their data. Yet, one piece that is often overlooked is vendor management. In fact, the Target breach occurred when the credentials of an HVAC vendor were stolen and used to gain access to Target’s network. Traditionally, vendor management involves creating a security agreement and routinely accessing vendors’ security practices, but doesn’t always include cyber awareness training. However, given that credentials are regularly stolen through social engineering tactics, organizations need to start focusing on training their critical vendors to be more cyber aware.
With the effort often involved in implementing training programs for employees, it may seem daunting to also train vendors. However, since vendors usually have limited access and have very specific roles, vendor cyber awareness programs should be customized to the role they play within your organization. While you should ensure that the Vendor does have a comprehensive awareness program for all employees, you should consider adding your own training to those individuals who are touching your account — including their accounts payable or receivable units — and tailor the training to the specific risks they present.
Take the Target breach as an example. Hackers gained access to the Target network through credentials to a vendor portal. In order to help prevent the breach, Target could have taken the following steps: first, require strong authentication, including multi-factor authentication, to access the Target system; second, receive verification that the vendor has a training program in place for all employees; third, identify the individuals within the vendor’s organization that need to access it’s system; finally, provide those individuals adequate, role-based training on topics like password strength, business email compromise, and phishing.
The importance of ensuring your vendors are cyber aware cannot be overstated, and should even be a requirement before entering into any agreement. While this training doesn’t need to be as extensive as it is for your employees, it should be focused on the individuals with access, and the role those individuals play within your organizations. Anything less than that could leave you vulnerable to unauthorized access.