Wrangling and Securing IT Vendors
OR Who Let the Intellectual Property Out? Who? Who? Who? Who? Who?
No single vendor can provide every Information Technology need. I have worked with individual entrepreneurs and Fortune 50 companies, and none of them do it alone. Everyone needs outside vendors. The most basic needs require five vendors, and some companies have dozens!
That means lots of moving parts and access for your IT department to manage! What happens when an issue occurs? Every vendor is quick to kick the can down the road. It can’t be them. They never have problems! Remember? 99.999%! It must be you! Here’s how to cut through the bologna and keep your IT Vendors in line.
Moving Parts –Each vendor is experienced at a particular task, and all will claim to do more than they truly can manage. Internet Service Providers provide the connections to the Internet and Cloud services, as well as all other connections outside the company. Internally, you could have dozens of different vendors for hardware, software, and mobile devices. It’s up to your IT department or outsourced vendor to manage them.
Send In The Clowns! – The world record for juggling is nine (9) balls by a highly experienced juggler! What if you’re juggling chainsaws or antique vases? Now consider if your expert jugglers (internal IT staff) wouldn’t even qualify as the assistant to the hobo clown at the county fair yelling at you from the dunking booth. You know who I’m talking about…the one who looks like he was painted in the county jail and is on work release for “community service.” Is he handcuffed to that booth?
We’ll Just Outsource – Many major organizations have pushed their primary IT services to an outside organization. However, they still need to maintain some IT staff to coordinate vendors. In real words, they need someone to look after the best interest of the organization. I spoke with one IT guru who said he spends 15% of his time doing his job. The rest is Vendor Management!
Not My Problem – But what happens the moment an issue occurs across multiple different vendors? If you’ve been in IT long enough, you know what comes next. Finger pointing! It can’t be the carrier. They show their services are up. Cloud service providers aren’t at fault, or the whole world would be screaming. Suddenly, all the fingers point back to the customer! How about when a security breach occurs and Intellectual Property (IP) leaks out?
Read The Fine Print – Every contract clearly states the line where vendor responsibility ends and customer responsibility begins. Their easy out is always to say if it’s not a problem in their system, it’s not their problem, and you must prove them wrong. If you have multiple vendors, and we all do, a deep dive into their contracts will bring about a very serious issue…GAPS!
Don’t Fall Into The Gap – Your first instinct may be to utilize an existing or new vendor to protect you. Not even cybersecurity insurance will protect you if you are found at fault. So the most important first step is to build a logical support map to go along with your network diagrams. Knowing how your systems work and how your vendors interact creates a visual of where bridges are needed.
Ignorance Is Still Liability – Strong cybersecurity comes from knowing how each system or application communicates. Build a detailed visual representation with IP addresses, hostnames, and ports to show interactions. Table Reads are walkthroughs of who does what during an Incident occurs, whether the incident is a fire, security breach, or Internet outage. Having a script forces vendors to explain their roles and limitations of support during different Incidents.
Bring In An Expert – Many cybersecurity organizations today include vendor management and gap analysis as part of their services. If your Security Operations Center (SOC) only alerts you to issues found by the software on your desktops, servers, and mobile devices, maybe it’s time for a new SOC. Most C-levels I’ve spoken with in the last year are getting pressured by their insurance providers to lock down vendors. If you haven’t yet, you will when it’s time to renew your insurance.
Reduce, Reuse, Renew – Another trend in cybersecurity is the reduction in overall vendors. Fewer hands in the pie mean fewer possibilities for crumbs. Of data breaches in the last ten years, nearly ALL were related to vendor access or failures by vendors to maintain security policies already in place by the organization. Why? Read your contract. It’s not their job! Keeping only security-minded vendors may be difficult but knowing which ones do not allow you to place a virtual fence around their access.
Cloud Is NOT Secure – Bring on the hate mail, but your Cloud service provider doesn’t care about your security. If you aren’t using a virtual firewall on the Cloud, get one NOW! Most penetration tests show more wide-open ports on Cloud servers than any other service. Why? You access the Cloud across the open Internet, and they DO NOT use firewalls or block ports. Also, if Ransomware hits you internally, you could very easily infect your Cloud servers and vice versa. Run antivirus, firewalls, and security software, and always update Cloud devices. A breach is not the time to find out your Cloud provider doesn’t understand how networks work.
Holistic, End-to-End Monitoring – Knowing your applications and systems end to end allows for anomaly monitoring. This requires baselining and knowing what is normal during different parts of the day. If you know the backup server shouldn’t be downloading customer data to a workstation at noon, you know this is suspicious. If you’re not monitoring, you’ll never know! Cybersecurity vendors exist to provide this level of system understanding, but they are not cheap, and there is no single piece of software that doesn’t rely on Human discernment.
Many vendors don’t care about your security. If you or your cybersecurity vendor know how all the vendors interact, you can pinpoint where issues and vulnerabilities are and hold the responsible vendor accountable. Knowledge is power and a necessary requirement for modern IT.