Breach, Data Security, Vulnerability Management

Know thy vendor

Just how well do you know the vendors who supply your information technology products and services? The answer isn't always as clear you one might think, and this lack of due diligence can have far-reaching implications for organizations' data-protection strategies.

I, for instance, know of one successful, but now defunct, privately held vendor of software and hosting services whose owner was indicated by the FBI for alleged income tax evasion involving a brother. The capper: The brother was a known terrorist associated with Palestinian Islamic Jihad.

Yet this company listed many well-known organizations -- the U.S. unit of a large European brewery, a large financial services company and a major manufacturer of fine china -- among its customers. There's no indication any of the vendor misused the customer data it had access to, but think about the possibilities.

Not performing a thorough background check of suppliers is common, according to R.M. "Reggie" Tracy, a former FBI special agent and owner of The Privacy Trust Group, an ID theft prevention and advocacy organization. When hiring a vendor, "Do companies verify that a suppler or vendor was a legally register business entity?," she asked.

"In what state are they registered? Have complaints been lodged against the vendor with the Better Business Bureau? The State Attorney Generals? The FTC? Did they even check on any of this?  Did they at least "google" the company name or registered agent on their website to see what complaints may have been made by earlier customers for the same company? Or to find out other information about the company or registered agent that may be of concern?"

She believes that most companies fail to find out these "simple details" about their vendors and suppliers. "It's mind boggling," she said.

Following what she calls information-protection best practices (IPBP) can help, she said. "Organizations must identify the appropriate IPBP for their industry and environment, document these in corporate-wide policies and procedures (for employees, networks or systems) and then fully implement them throughout their organization," she added.

"It's only a matter of time before more companies of all sizes begin to understand the potential cost of failure in information protection," she said. "We're seeing multi-million dollar lawsuits against companies who fail to employ widely accepted best practices.

"Granted, not everyone knows or understands the implications of these sometimes simple, even inexpensive best practices," Tracy emphasized. "But that is no excuse for failing to find out these best practices."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds