Vendors carry unique risks; here’s how to address them
Remember the TV show The Weakest Link? Running from 2000 to 2012, the show enjoyed quite a bit of popularity back in the day. Host Anne Robinson’s catchphrase “You are the weakest link-goodbye!” even became part of the cultural lexicon for a moment in time. A business’s cybersecurity strategy will inevitably have its own weakest link. No matter how well designed it is, no system is invulnerable to attack. For many businesses, vendor relationships are the weakest link. There are numerous reasons for that, ranging from third-party data access to weak authentication methods. Let’s explore how you can fortify these relationships and ensure you and your favorite vendors never need to say “goodbye.”
Vendors: a beneficial but potentially risky relationship
A good vendor relationship can be highly beneficial, bringing cost savings, expertise and innovation that can translate into lasting competitive advantage. However, there is no question that vendors can introduce security risks for a business. One of the most significant is the potential for data leaks. If a vendor doesn’t have good security policies but has access to a business’s critical systems, that can be a potential attack vector for criminals.
But that’s just the tip of the iceberg. Vendors may use third-party tools with security gaps, rely on weak passwords, or fail to meet title industry security standards. Lastly, in the event of a security incident, a vendor may not have a dedicated incident response plan, which could lead to a disruption for your business.
Simple, straightforward security steps can help
While these risks are no doubt significant, there are a lot of simple steps you can take to make your vendor relationship more secure. The most important one is also the most obvious. Only give your vendor access to the systems and data they need to meet the conditions of your service agreement.
Beyond access control, there are several other precautions to take. It is wise to lay out cybersecurity roles, responsibilities and expectations at the start of any vendor engagement. Clear expectations help vendors handle your data responsibly, respond to incidents, and uphold security policies.
You and your vendor should also be on the same page on how you will respond if a security breach unfortunately does occur. Planning ahead can minimize disruptions and long-term damage to your business. Of course, all this hinges on first developing a trusting dynamic with your vendor. If you don’t communicate openly and transparently, it becomes much more difficult to collaborate on security goals and grow together.
Lastly, it is always a good idea to conduct regular security check-ins with your vendors. This is a good way to remain aware of the systems and data your vendor has access to. These meetings can also be a time to quickly and efficiently communicate any changes in your cybersecurity strategy.
The role of vendor security agreements (VSAs)
One of the best ways to make sure you are taking the precautions outlined above is by putting together a comprehensive vendor service agreement (VSA) at the beginning of a new vendor engagement. VSAs are a critical tool for managing security risks in third-party relationships, including data protection protocols, compliance and responsibilities in the event of a breach. Other provisions that are often included in a VSA encompass access controls, encryption requirements and multi-factor authentication (MFA) policies.
Additionally, a good VSA should include your agency’s incident response framework. If you’re considering developing a framework, detail how quickly a vendor must notify you of a security event and clearly list what steps they must take to help fix the issue. This can be an especially important provision. Data shows that the timeline from when an average vendor discovers a security problem to when they notify their client is often quite long. But it can be reduced when there is a contractual obligation to notify.[i]
Lastly, businesses should also explicitly define in their VSA how they want to approach periodic security audits for their vendors. It is perhaps the most effective strategy for ensuring alignment with evolving cybersecurity standards.
Toward an ever more productive and profitable partnership
It is a rotten feeling when a vendor causes a security incident, and you must deliver an Anne Robinson-style dismissal. With a little extra work, however, you can secure these relationships and help prevent security incidents before they start. When your vendor partnerships are safe, an even more productive and profitable dynamic becomes possible.
You know the value of practicing dental hygiene. The same is true for your cybersecurity!
Anyone who has been to the dentist knows the drill. You are in the middle of getting your cleaning, and your hygienist starts asking about your flossing habits and the toothbrush you use. This isn’t mere chit-chat but rather a way for your dentist to gauge your overall oral hygiene. Dentists know that keeping your teeth healthy requires more than an annual cleaning. It is a daily routine, involving consistent brushing, limiting your sugar intake, and replacing your toothbrush regularly.
While it may be tempting to take a “set it and forget it” approach to cybersecurity, resisting that impulse is crucial! Just like oral health requires daily maintenance, cybersecurity needs ongoing attention to prevent vulnerabilities from developing. In this blog, we’ll draw direct comparisons between the two to highlight the importance of good cyber hygiene.
MFA and Password Management = Daily Brushing and Flossing
Dentists will say that the first line of defense against dental problems is consistent, at-home brushing and flossing. Without a good routine in place, problems can quickly emerge. In the short term, this can include plaque build-up and gum inflammation. If neglect continues, tooth decay, cavities, chronic pain, and even systemic health issues can develop.
Weak password strategies and a lack of multi-factor authentication (MFA) often lead to similar outcomes for cybersecurity. Just like plaque builds up over time, the threat of phishing attacks or credential hacking increases without stringent protections. Eventually, the consequences can become severe, including stolen credentials, ransomware attacks, and operational disruptions. These issues can ultimately lead to reputational damage, economic fallout, and even legal penalties.
Just as brushing and flossing protect your teeth, using MFA and strong passwords can prevent cybersecurity issues before they arise.
Avoiding Suspicious Emails and Links = Reducing Sugary Food
Keeping your teeth pearly white also requires making smart choices, such as cutting back on sugar. When people indulge too much in sweet treats, it often leads to tooth decay and other issues like bad breath, gum disease, and even an increased risk of heart disease.
Similarly, failing to exercise caution with emails and links can expose your agency to cyber threats. A small lapse here and there may not seem like a big issue. But just as excessive sugar consumption eventually leads to cavities, frequent mistakes in identifying phishing attempts can quickly spiral into a security crisis.
The best way to prevent this is by changing the behaviors that create risk in the first place. Just like education on the dangers of sugar helps people make healthier dietary choices, cybersecurity training and vigilance can help your team operate more safely online.
Software and System Updates = Replacing Your Toothbrush
Good oral hygiene is not just about daily habits; it also depends on using the right tools. Experts routinely advise replacing your toothbrush every few months to maintain optimal dental health.
Like an old toothbrush that has lost its effectiveness, outdated security software may fail to detect emerging threats. Worse still, it can slow down your systems, hinder productivity, and even put your business at greater risk.
The lesson is clear: keeping your software up to date is just as critical for cybersecurity as keeping your toothbrush fresh is for dental health.
Good Hygiene: The Best Thing for Your Teeth and Your Tech!
Practicing cyber hygiene outside of an annual checkup is essential for the long-term health of both your technology stack and your business. Just as strong oral health depends on brushing, diet, and fresh tools, maintaining cybersecurity requires strong passwords, robust email security, and consistent software updates. Neglecting these steps can result in serious consequences—whether that be rotten teeth or IT system vulnerabilities. By taking these simple precautions, you can keep both your smile and your cybersecurity in top shape.
Harnessing the Power of AI for Better Antivirus Protection
Endpoint Detection and Response (EDR) is a next generation cyber security solution that provides more advanced and comprehensive protection for your devices compared with traditional, static antivirus applications that only address simple signature-based malware threats. While traditional antivirus programs detect and remove known malware, EDR is designed to detect and respond to more complex and sophisticated threats that often bypass or get through traditional antivirus protection. A good EDR solution can identify existing threats already hiding on a network, which is important as current threats are often undetected for several months. Since most malware intrusions originate at the end-user, it is critically important to have the very best antivirus protection on individual computers and laptops.
Here are some reasons to consider EDR as a preferred antivirus solution:
Smarter Detection: Traditional antivirus programs rely on pre-defined signatures to identify known threats. However, EDR takes a different approach. It uses behavioral analytics to detect suspicious activity in real-time, even if there are no known signatures. By monitoring file changes, registry modifications, and network traffic, EDR can detect and respond to the latest, advanced threats faster than traditional antivirus programs.
Complete Visibility: EDR provides security teams with a centralized management console to monitor and investigate activity across all devices in an organization. This makes it easier to deploy and manage security policies. Some vendors offer a fully managed model for businesses who cannot or do not want to deal with the administration or management of the EDR tool. With EDR, you don’t need to worry about manually updating antivirus software on individual devices. The central console ensures that the latest EDR protection is deployed, saving time and effort. In case of a security breach, EDR allows for a coordinated and rapid response to investigate and minimize the damage.
Real-time monitoring and continuous threat-hunting: EDR keeps a constant watch over servers, laptops, and mobile devices in real-time. It allows security teams to proactively identify and address threats before they can breach the system. By analyzing suspicious behavior, EDR can act before a breach occurs, reducing the risk of data loss or compromise.
Monitoring of servers, laptops, and mobile devices by EDR is critical to allow fast and effective solutions to threats before they breach, and in the event of a breach, to contain and solution the threat before there is contagion throughout the network. EDR has a proactive threat hunting feature that allows security teams to identify threats before they become an incident. Suspicious behavior is analyzed and reacted to before a breach occurs.
Forensic Capabilities: In the event of a security breach, EDR provides forensic capabilities that assist security teams to investigate and understand system events and scope of the attack. Detailed logs are available showing system events and user behavior. The logs may be used to identify the source of the attack, measure the extent of damage or intrusion, then develop a plan to prevent a future, similar attack. This is very useful to provide evidence of rapid response and the scope, extent, and timing of an event that is required with many state breach notification requirements.
Integration with other security solutions: EDR seamlessly integrates with other security solutions, enabling automated incident response workflows, event logging, and monitoring across multiple platforms. This integration enhances the overall effectiveness of your cybersecurity infrastructure.
With the rapid evolution of advanced threats and sophisticated malware, relying solely on traditional antivirus programs isn’t enough. Having a robust EDR solution provides the best available antivirus resource, deploying a tool that uses artificial intelligence to reiterate and continually evolve an endpoint defense. The combination of advanced detection, rapid response, real-time central monitoring, and enhanced forensic features provides a powerful tool to protect and secure your organization’s critical and sensitive data. Antivirus protection is a vital cyber-security shield on the frontline of defense, and it is imperative that defense is effective, today more than ever.
Interested in learning more about EDR? Notable companies that offer EDR solutions include SentinelOne, CrowdStrike, and Cisco. If you have questions about EDR and other tools and strategies to protect your networks and your business, feel free to contact me: tweyant@alliantnational.com
The world is awash in data. And business owners must protect their customers.
Anyone who has been paying attention over the last couple of decades knows that data is all around us. We can’t see it. We can’t touch it. But it is everywhere, informing how we work, shop, explore and entertain ourselves. Data is also extremely valuable. Advertisers covet our data. And bad actors often weaponize it for identity theft and illicit financial schemes.
It is imperative that business leaders protect their customers’ data. Not only is it the ethical thing to do, but it is also pragmatic. The way businesses use and protect customer data is rightly coming under increasing scrutiny. Additionally, businesses that mismanage customer data can experience significant consequences to their brand and reputation. With such high stakes, it’s important to be knowledgeable on best practices for data protection. Here are some tips to get you started.
Conduct an Audit
The first step toward a comprehensive and proactive approach to protecting your customer base’s data is to gain a full understanding of the various types of data your business holds. Is it social security numbers? Credit card information? Online account passwords? Real estate and title insurance professionals often deal with large amounts of sensitive data. Conduct an audit to ensure that you have a full accounting for everything you and your employees hold.
Understand the Legal Basics
Data protection laws vary depending on where your business is and the industry in which you work. It is wise to invest the time and resources to gain a full understanding of the basics as required by law and as they apply to your specific enterprise. For instance, most people know about the Health Insurance Portability and Accountability Act (HIPAA), the 1996 federal law that stipulates that healthcare insurance industries must protect customer health information from fraud and theft. However, other state-level laws apply to all industries. Become apprised of what is required of you by law when designing data protection policies for your business. There are ample resources online that can serve as an effective primer.
Gain Buy-In
It’s all well and good if you want to take a proactive and fastidious approach to your customers’ data, but if you have employees, you are going to need their buy-in and compliance as well. If a chain is only as strong as its weakest link, then a business can only take a comprehensive approach to data security if it treats it as an organizational priority rather than a siloed effort.
If Possible, Throw it Out
Only keep data you need. Schedule routine reviews of the customer data you are holding and have a process in place to decide when you can safely dispose of it. Considering that you have an ethical and often legal obligation to safeguard customer data, this can be a great strategy for limiting your company’s exposure.
Do What You Can
Protecting customer data can be an expensive and time-consuming effort. In fact, major corporations often spend millions of dollars to secure this information. You may not have access to such resources. However, there are still practical steps you can take to operate a more data-secure shop.
Consider, for instance, limiting employee access to data, only giving them as much information as they need to effectively do their jobs. Be sure to also have a process in place for properly destroying and disposing of both physical and cyber versions of customer data. Lastly, you could even consider looking into a designated server for your most sensitive data. While using a shared server might be more economical, it carries a security risk.
Go the Extra Mile
We know that running a title agency is no easy matter. Time is always tight, resources thin, and sometimes it can feel as if taking on a new initiative will be the straw that breaks the proverbial camel’s back. Still, it’s important to remember that customers are worth the effort. As title professionals, our customers entrust us with some of their most sensitive data, and we must do our best to protect it.
We’re buried under data – both tangible and digital. Do you have a plan for disposing of it securely?
By Bryan Johnson, IT Director, Alliant National Title Insurance Company
We live in a world of data. The internet runs on it. Companies and governments collect it. Each person carries around a tiny data collection device in their pocket in the form of a smartphone, which catalogs our spending, socializing and travel habits.
Unsurprisingly, personal data is an important part of real estate transactions, and the business can involve the exchange of names, employment information, contact numbers, email addresses and, of course, financial information. Considering that trust is critical to any given transaction, real estate professionals should make all possible efforts to safeguard this personal information and properly secure or dispose of it as appropriate once a transaction is completed. Trash can on a laptop. 3d illustration stock photo
Formalize Your Policy
When thinking about customer data and how it should be handled, start from the beginning. Set up a formalized policy that will be the standard across your agency. Having a clear, step-by-step process will make it easier to reduce mistakes when handling data. It will also streamline your ability to bring people up to speed on your processes and procedures – ultimately saving time and money.
Local vs. Network Drives vs. Cloud Storage Services
Once you start actually disposing of your customers’ files, keep in mind that data can live in multiple locations. You may have files on your local work computer that also live on your company’s network or on a cloud storage service. To ensure a given file is gone for good, you need to erase it in all locations. Many network and cloud storage solutions will also still retain copies of deleted files in what is commonly called a recycle bin. If you intend to permanently delete your files, you will need to make sure they are purged from the recycle bin as well.
Hard Drives
There is a lot of information stored on hard drives. Once you no longer need a particular drive, it is always a good idea to enlist the services of a professional data destruction company. Most major cities will have several companies from which to choose. These businesses can either physically shred your hard drives or even degauss them, which involves an incredibly powerful magnetic field that completely erases all data.
A Not So Paperless World
Although personal computing has been commonplace for more than 25 years, we live in a world where paper still flows and customer information still exists in a tangible form. Be sure to treat your clients’ physical information with the same care as you do their digital. To dispose of paper data, deploy a good shredder. After that, it is ideal to use the services of a professional recycler or data destruction provider.
Final Thoughts
Increased access to data is one of the great double-edged swords of the information age. While it has made conducting business easier, faster and more convenient, it has also left individuals and companies vulnerable to data breaches and fraud. By leveraging data effectively and safely, you will be able to conduct your real estate transactions with greater speed and dexterity. Just be sure you don’t mistakenly end up putting private information at risk!
