| by Shawn D. Stewart | No comments

Wrangling and Securing IT Vendors

OR Who Let the Intellectual Property Out? Who? Who? Who? Who? Who?

No single vendor can provide for every Information Technology need. I have worked with individual entrepreneurs and Fortune 50 companies and none of them do it alone. Everyone needs outside vendors. The most basic needs require five vendors, and some companies have dozens!

That means lots of moving parts and access for your IT department to manage! What happens when an issue occurs? Every vendor is quick to kick the can down the road. Can’t be them, they never have problems! Remember? 99.999%! Must be you! Here’s how to cut through the bologna and keep your IT Vendors in line.

Moving Parts –Each vendor is experienced at a particular task, and all will claim to do more than they truly can manage. Internet Service Providers provide the connections to the Internet and Cloud services, as well as all other connections outside the company. Internally, you could have dozens of different vendors for hardware, software, and mobile devices. It’s up to your IT department or outsourced vendor to manage them.

No alt text provided for this image

Send In The Clowns! – The world record for juggling is nine (9) balls by a highly experience juggler! What if you’re juggling chainsaws or antique vases? Now consider if your expert jugglers (internal IT staff) wouldn’t even qualify as the assistant to the hobo clown at the county fair yelling at you from the dunking booth. You know who I’m talking about…the one who looks like he was painted in the county jail and is on work release for “community service”. Is he handcuffed to that booth?

We’ll Just Outsource – Many major organizations have pushed their primary IT services to an outside organization. However, they still need to maintain some IT staff to coordinate vendors. In real words, they need someone to look after the best interest of the organization. I spoke with one IT guru who said he spends 15% of his time doing his job. The rest is Vendor Management!

Not My Problem – But what happens the moment an issue occurs across multiple different vendors? If you’ve been in IT long enough, you know what comes next. Finger pointing! Can’t be the carrier, they show their services are up. Cloud service providers aren’t at fault or the whole world would be screaming. Suddenly, all the fingers point back to the customer! How about when a security breach occurs, and Intellectual Property (IP) leaks out?

No alt text provided for this image

Read The Fine Print – Every contract clearly states the line where vendor responsibility ends and customer responsibility begins. Their easy out is always to say if it’s not a problem in their system, it’s not their problem and you must prove them wrong. If you have multiple vendors, and we all do, a deep dive of their contracts will bring about a very serious issue…GAPS!

Don’t Fall Into The Gap – Your first instinct may be to utilize an existing or new vendor to protect you. Not even cybersecurity insurance will protect you if you are found at fault. So the most important first step is to build a logical support map to go along with your network diagrams. Knowing how your systems work and how your vendors interact creates a visual of where bridges are needed.

Ignorance Is Still Liability – Strong cybersecurity comes from knowing how each system or application communicates. Build a detailed visual representation with IP addresses, host names, and ports to show interactions. Table Reads are walkthroughs of who does what during an Incident occurs, whether the incident is a fire, security breach, or Internet outage. Having a script forces vendors to explain their roles and limitations of support during different Incidents.

Bring In An Expert – Many cybersecurity organizations today include vendor management and gap analysis as part of their services. If your Security Operations Center (SOC) only alerts to issues found by the software on your desktops, servers, and mobile devices, maybe it’s time for a new SOC. Most C-levels I’ve spoken with in the last year are getting pressured by their insurance providers to lock down vendors. If you haven’t yet, you will when it’s time to renew your insurance.

No alt text provided for this image

Reduce, Reuse, Renew – Another trend in cybersecurity is the reduction in overall vendors. Less hands in the pie means less possibilities for crumbs. Of data breaches in the last 10 years, nearly ALL were related to vendor access or failures by vendors to maintain security policy already in place by the organization. Why? Read your contract. It’s not their job! Keeping only security-minded vendors may be difficult but knowing which are not allows you to place a virtual fence around their access.

Cloud Is NOT Secure – Bring on the hate mail, but your Cloud service provider doesn’t care about your security. If you aren’t using a virtual firewall on the Cloud, get one NOW! Most penetration tests show more wide-open ports on Cloud servers than any other service. Why? You access the Cloud across the open Internet, and they DO NOT use firewalls or block ports. Also, if Ransomware hits you internally, you could very easily infect your Cloud servers and vice versa. Run antivirus, firewalls, security software, and always update Cloud devices. A breach is not the time to find out your Cloud provider doesn’t understand how networks work.

No alt text provided for this image

Holistic, End-to-End Monitoring – Knowing your applications and systems end to end allows for anomaly monitoring. This requires baselining and knowing what is normal during different parts of the day. If you know the backup server shouldn’t be downloading customer data to a workstation at noon, you know this is suspicious. If you’re not monitoring, you’ll never know! Cybersecurity vendors exist to provide this level of system understanding, but they are not cheap and there is no single piece of software that doesn’t rely on Human discernment.

Many vendors don’t care about your security.  If you or your cybersecurity vendor know how all the vendors interact, you can pinpoint where issues and vulnerabilities are and hold the responsible vendor accountable. Knowledge is power and a necessary requirement for modern IT.

No alt text provided for this image

Want to see an article on a specific subject? Need help? Reach out. We are all in this together.

Shawn D. Stewart

Mr. Stewart has 25 years of experience with hundreds of international, commercial, military, and government IT projects. He holds or has held certifications with ISC2, Cisco, Microsoft, CompTIA, ITIL, Novell and others. He also holds a Masters in Cybersecurity, Bachelors in IT, a Minor in Professional Writing and is a published author.

Warning: Undefined array key -1 in /home/stewart/www/blog/wp-content/themes/wpxon-blog/template-parts/content-single.php on line 85

Leave a Reply