Several universities recently became victims of a data breach as a result of vulnerabilities within file transfer software linked to an IT security company. It begs the question as to whether or not universities can be impacted by a security breach from an IT vendor, and the answer appears to be a resounding “yes.”
The consequences of such a breach can be devastating. This most recent breach caused sensitive information from the affected universities to be available on the dark web, leaving staff, students, and faculty vulnerable to fraud and identity theft.
How Do You Guard Against Third-Party Risk?
We talked about the implications of third-party vendors on PCI compliance and risk in our two-part series here and here. There are steps that you can take to ensure that you’re operating within PCI compliance guidelines and minimizing the risk associated with your vendors. Here are some guidelines for avoiding breaches and other security issues via third-party vendors.
Properly Analyze & Evaluate Vendors
One vendor misstep is all it takes to compromise your network. Start by evaluating your vendors and analyzing what data they have access to. Be sure they are using secure access methods and also tighten endpoints to reduce your security risks. Your vendors’ security and compliance protocol should be aligned with yours. Evaluate each vendor to see whether they have been breached before and how they addressed the issue. See what security protocol they have implemented to ensure that their security management policies are appropriate to keep your organization PCI compliant.
Make Reporting & Auditing a Priority
Building relationships with secure and trustworthy vendors means making auditing and reporting a priority. This is beneficial for both internal uses as well as for external auditors. Monitoring third-party access allows you to identify any vulnerabilities and take remedial steps immediately. Automation of these processes can save time and money while streamlining security, so consider implementing a vendor access management platform that enables automation.
Your vendors’ security controls should align with your own requirements and you should conduct a thorough assessment of your vendors’ state of security. The next step is to enact powerful controls over access provided to third parties, including what data your vendor contacts can view on your network. Lack of oversight in this area can lead to increased risk, but control over vendor access can significantly reduce the possibility of a third-party data breach.
Emerging technologies, greater connectedness, and more vendors often mean more convenience and streamlined operations — but it also means a broader attack surface for bad actors. All it takes is one kink in the security chain to put your entire organization at risk, leading to regulatory fines and issues, reputational damage, and financial losses. Guarding against breaches and other risks means rigorous adherence to PCI guidelines and ensuring you — and your vendors — are following security best practices.
Worried about the scope of these responsibilities and looking for some guidance and support? Contact us today to learn more about how we can help you manage and streamline PCI compliance.