When it comes to securing your company’s people and technology assets, focusing inside the office walls isn’t enough anymore. Organizations need to consider all potential vectors of attack, even those coming from outside the business.
Freelancers and contractors, who are not employed by the company but may have access to many sensitive internal systems or passwords, must be considered one of these emerging vectors of attack and secured appropriately.
This vector is critical to consider for SMBs, who may rely on many outsourced third parties to help support their needs and goals. That may include outsourced marketing or content, IT, administration, finance, physical office support, or many other functions. According to one study, 80 percent of businesses said they had a data breach due to a third-party vendor.
There have been numerous recent examples about what can happen if appropriate security protections are not put in place for contractors, freelancers, and other third parties. Recent attacks on Marriott, P&N Bank, and General Electric, for instance, were all attributed to third-party vendors. These attacks add to the list of now-famous data breaches, including Target in 2017 and Equifax in 2017, that also similarly leveraged relationships with third-party vendors for an attack.
Building a secure relationship
Building a secure relationship between business and contractor starts from the beginning, perhaps including security assessments or ratings as part of the initial evaluation process. Language requiring a certain level of security protections, ongoing audit requirements, or cybersecurity SLAs can also be added to the vendor or freelancer contract. There are third-party risk assessment tools from various vendors that can help with this process, or many businesses choose to use a questionnaire format.
An SMB can implement certain practices to ensure that access and activity are monitored on an ongoing basis. For example, establishing a baseline by mapping data flow can help ensure that there are protections in place for who has access to data, that the correct control system is in place, and that security policies are being enforced. Using continuous monitoring tools can internally track this behavior over time and pinpoint any anomalous activity or access that could point to a potential cyberattack.
Implementing cybersecurity awareness training
Finally, cybersecurity awareness training is essential for all employees to outline what sharing or access is okay to allow with third-party contractors. On top of that, training can help educate employees on phishing and other techniques that attackers may use to leverage the third-party relationship to harm the business.
Suppose the vendor can no longer uphold the necessary cybersecurity standards. In that case, a business owner may need to consider terminating that relationship. No vendor relationship is worth the harm to the business’s reputation or financial well-being that a cyberattack could cause.
It’s only become more apparent over the last few years that the cybersecurity risk to businesses will only continue to increase over time. From small to large, businesses of every size need to consider all potential vectors of attack to ensure risks are mitigated from all internal and third-party sources.