Did you know that most small businesses have more vendors than team members? To paraphrase that old joke, “how many vendors does it take to make a business successful?” But if that number of vendors makes you more open to a cybersecurity breach, it’s no joke. It’s called a “supply chain vulnerability” where cyber-crooks gain access through a business vendor or partner.
From a cybersecurity point of view, your data is your company’s most valuable asset. However, most companies ignore data security, allow it to spread, and give everyone access to it. How can we reduce risk and make a business exponentially safer? We can do that with a simple exercise. Start by making a list of all the companies you share data with and where that data is stored and transmitted. At first glance, this may sound like a daunting task, but it should only take a few days if you do it right. Once you’ve compiled that list, you’ll probably have four important realizations:
- You’re dealing with far too many third-party providers.
- You’re sharing far too much data with everyone.
- You have data that is much more distributed than you expected.
- You have too much data ‘lying around.’
Let’s talk through some changes based on these insights. Addressing the vendor problem probably means eliminating a number of redundant vendors or having serious conversations about those who are dubious. Once you’ve managed to downsize this list, a simple onboarding program will help keep them to a more manageable number. There’s no reason to manage the risk of seven vendors just because one person likes to use one over the other. A small amount of due diligence will bring significant rewards when it comes to compliance requirements.
Striking a balance
It’s not unusual for your employees to build relationships with other vendors on their own to make their lives easier. While you should appoint a gatekeeper to prevent sellers from sneaking in, make sure that you are not unduly restrictive. Remind your business partners that a significant proportion of infringements are by third parties, and it’s in everyone’s interest to keep your systems safe and secure by eliminating or minimizing third-party access. Business people will find a way around any regulation that prevents them from doing their job effectively.
The second discovery will hopefully make you think about cleaning up and limiting the amount of data that people have access to and what data you share. The lowest privileges and verification options are your saviours in the event of a breach. One of the core requirements of a compliance program is to know who currently has access to your data. Always pose the question, “do they need or just want access?”
Next, consider consolidating your data to get it under control. You’ll discover data boxes, storage devices, cloud providers, internal shares, and everything in between. Data needs to be in as few places as possible to keep proper control. Consolidation drastically reduces your operational overhead, costs, and risks. Storage is simple; you don’t need hundreds of locations, just an appropriate level of backups to make sure you can recover.
Finally, stop hoarding data! People tend to keep data forever, just in case they need it. This is a huge mistake and will cost you dearly in the event of an infringement. Implement a data retention program and find out what data you can get rid of. If it has been lying around for five years and no one has touched it, unless there is a regulatory or legal requirement, you should consider deleting it. Here’s a great resource for data retention guidelines DLA Piper Global Data Protection Laws of the World – World Map (dlapiperdataprotection.com).
None of these measures need to be overly complex or take years to implement. Keep them simple and clean. You will see the results almost immediately.
To return to our initial question, “how many providers does it take to make a business successful? That answer will be consistent whether you have a full-time security person or a virtual CISO like me. The answer lies in the odds of who will be the breached vendor that creates your cybersecurity incident. Fewer, better qualified reduces the odds and your risks.