What you probably don’t remember is the name of the company that was actually hacked—it was an HVAC company who sometimes did work for Target stores. The air conditioning company was hacked, and the cybercriminals used their access to Target’s system to cause massive amounts of damage.
When implementing a cybersecurity plan, most business owners only consider their own company. But you also need to consider the cybersecurity policy of your vendors—especially if they have access to your network or your sensitive data.
How much do you know about your vendors’ cybersecurity? Do you know who at their office has access to your information and what measures they’ve put into place to protect it? At a minimum, you need to know the answers to these questions:
- At your company, who has access to my data?
- Where is my data stored?
- What measures are in place to protect it from a data breach?
- How often do you review and update your cybersecurity policy?
Your vendors don’t even need to have access to your network to put you in danger if they have poor cybersecurity. Recently, we’ve seen a rise in wire fraud style phishing attacks where cybercriminals use a compromised account to trick other companies into wiring money.
Here’s how it works: Jerry is a mid-level, customer-facing employee at P&R. He falls victim to a phishing attack and gets his company login credentials stolen. The cybercriminal uses this information to log in to his account and do a little background research. He figures out who Jerry regularly emails at customers.
The cybercriminal then emails Andy, the admin at the Ramsett Company (a P&R customer), to tell him that P&R has a new online payment link and Ramsett needs to pay their bill. Andy, not seeing anything amiss in the email since it’s coming from Jerry’s actual account, follows the link and pays. Neither of them notices anything out of the ordinary until a few weeks later when Ramsett’s actual bill is due.
We’ve seen this, and similar scenarios play out multiple times. A similar trend is occurring in the real estate industry, with cybercriminals pretending to be mortgage companies, and tricking home buyers out of their house down payment.
In any of these scenarios, as the customer, there are some steps you can take, like limiting the access your vendors have to your network. But ultimately, your vendors’ security measures are in their hands. Your best course of action is to ask the questions and be selective about the vendors you work with.