Our Business Vendors May Have Access to Sensitive Information.
Make sure those vendors are securing their own computers and networks. For example, what if your accountant, who has all your ﬁnancial data, loses his laptop? Or a vendor whose network is connected to yours gets hacked? The result: your business data and your customers’ personal information may end up in the wrong hands — putting your business and your customers at risk.
How To Monitor Your Vendors
Put it in writing
Include provisions for security in your vendor contracts, like a plan to evaluate and update security controls, since threats change. Make the security provisions that are critical to your company non-negotiable.
Establish processes so you can conﬁrm that vendors follow your rules. Don’t just take their word for it.
Make changes as needed
Cybersecurity threats change rapidly. Make sure your vendors keep their security up to date.
How To Protect Your Business
Put controls on databases with sensitive information. Limit access to a need-to-know basis, and only for the amount of time a vendor needs to do a job.
Safeguard your data
Use properly conﬁgured, strong encryption. This protects sensitive information as it’s transferred and stored.
Secure your network
Require strong passwords: at least 12 characters with a mix of numbers, symbols, and both capital and lowercase letters. Never reuse passwords, don’t share them, and limit the number of unsuccessful log-in attempts to limit password-guessing attacks.
Use multi-factor authentication
This makes vendors take additional steps beyond logging in with a password to access your network — like a temporary code on a smartphone or a key that’s inserted into a computer.
What To Do If a Vendor Has a Security Breach
Contact the authorities
Report the attack right away to your local police department. If they’re not familiar with investigating information compromises, contact your local FBI oﬃce.
Confirm the vendor has a fix
Make sure that the vendor ﬁxes the vulnerabilities and ensures that your information will be safe going forward, if your business decides to continue using the vendor.
If your data or personal information was compromised, make sure you notify the aﬀected parties ― they could be at risk of identity theft. Find information on how to do that at Data Breach Response: A Guide for Business. Find it at FTC.gov/DataBreach..