As the details of Target's massive data breach begin to emerge, the focus is beginning to shift to vendors. According to The Wall Street Journal, it seems the Target hackers breached the chain's security systems by using electronic credentials stolen from a vendor.
For in-house counsel, the immense breach highlights the need for companies to create a robust security system that extends to vendors and other interconnected business relations.
Here are five ways in-house counsel can improve their company's vendor cybersecurity:
- Segment sensitive information. For many companies, it's almost impossible to run a supply chain smoothly without divulging sensitive data to vendors and channel partners. But as a security measure, segment sensitive information so that a vendor's decision on whether to outsource a particular function doesn't carry make-or-break security implications.
- Adapt to changing circumstances. Keep abreast of the changing face of technology. It's important to practice situational awareness when it comes to cybersecurity, electronic records retention, tech proficiency, new tech awareness, and consistency. To identify potential threats, consider auditing the security practices of your cybersecurity firm, legal department and outside counsel.
- Perform cyber-attack drills with your vendors. A number of employers send fake "phishing" emails to test their employees' cybersecurity habits. These simulated tests may be effective because they are more memorable than training sessions, show how attacks work in real life, and encourage all parties to be more careful. It's not a bad idea to extend such teaching methods to vendors, too. For example, the Harvard Business Review suggests incorporating vendors into internal "war games" to test your cybersecurity. It's a more interactive way to test both your vendor and your company's ability to respond to cyber-attacks.
- Add your cybersecurity requirements into your vendor contracts. One of the best ways to address vendor cybersecurity is to address your requirements in the vendor agreement itself either in a clause or as a separate agreement. By building security requirements into the contract negotiations process, you and your vendor can communicate expectations and understand vendor capabilities before you sign a deal.
- Plan for damage control. Prepare for the worst. Have a plan in place to help you deal with post-breach issues, such as identifying what's been breached, determining how much of the compromised data was sensitive, who needs to be contacted, and what to do next.
The Target breach and the lawsuits that followed demonstrate that your company may still be liable -- or at the very least, get roped into litigation -- when a vendor is hacked. The takeaway: make vendor security a priority.Have any advice for improving cybersecurity? Tweet us @FindLawLP.
- Need a Cybersecurity Refresher? Check Out SBA's New Online Course (FindLaw's In House)
- National Cyber Security Awareness Month: Resources and Tips (FindLaw's In House)
- Are Hackers Silently Listening in on Your Videoconferences? (FindLaw's In House)