If you work in a business that handles customer or employee information, you are almost always a target. Nashville-based managed IT service provider ImageQuest asserts that the target is even bigger if you work in medicine or finance. We recently sat down with reps from the company to discuss ways to reduce a business’s risk of its information falling into the wrong hands. We found out that it is not just a single company that must take responsibility, but its vendors as well.
Keep reading to find out more about what ImageQuest had to say about security downstream and vendor management plans.
Q: IT security is a hot topic, and we assume that most big businesses have procedures in place to keep their customers’ information safe. Why is that not enough?
ImageQuest: A business can have the strictest security measures in place, but vendors are usually a weak spot. Hackers are fully aware of all the different ways to infiltrate information on databases. One of these is to infect a vendor’s digital infrastructure.
Q: How does that provide access to data files?
ImageQuest: When a vendor has access to a company’s systems, that means that anyone who has access to that vendor can gain access, too. The Target breach of 2014 is a perfect example. Target, which is one of the leading retailers in the US, has exceptional IT security. However, they hired an HVAC vendor that needed access to its network. The vendor did not have tight cybersecurity. Because of this, malware introduced to the HVAC service provider’s network made its way into Target’s system when it was accessed by HVAC workers. Had Target taken the step of checking out its vendors’ IT Security measures, this might have been prevented.
Q: Are issues like this really preventable?
ImageQuest: If you implement certain security measures, you are much less likely to suffer a data breach. However, because the threats and risks evolve all the time, it requires extensive expertise and resources to stay secure. Our Nashville-based managed IT service experts have both of these and are well aware of the risk of not enacting a vendor management plan.
Q: What is a vendor management plan?
ImageQuest: At its core, a vendor management plan is a component of a managed IT service program. It is used to assign a risk rating to all of an organization’s vendors. If written, managed, and executed correctly, a vendor management plan can help you make better decisions regarding your vendors. In many cases, it will encourage service providers to meet industry-specific regulations if their goal is to continue earning your business.
Q: How does a business begin putting together a vendor management plan?
ImageQuest: The first step is to conduct a thorough risk assessment, and then ensure that you understand pertinent regulations. Start by determining how much information your business actually collects and stores. Do you keep personally identifiable information, such as names, birthdays, and Social Security numbers, or financial data, such as bank routing numbers and credit card numbers? If you do have this type of data contained within your network, determine how much, if any, access your vendors have or need.
Q: What regulations might apply to a business’s offsite partners and vendors?
ImageQuest: Again, that depends on your industry. If you are in healthcare, for example, you’ll be subject to HIPAA because you will collect protected health information. FINRA, the SEC, GLBA, and CUNA create guidelines in the financial services sector. Even your managed IT service provider will have to meet whatever criteria these institutions outline for your business. When you process sensitive data from multiple states, you may also be required to follow by state-specific cybersecurity regulations.
Q: As a managed IT service in Nashville, can ImageQuest help draft a vendor management plan for a business in other parts of the country?
ImageQuest: We offer our services throughout the US. All it takes is a quick call to get started. However, we can offer this advice to anyone: Ask your vendors to provide you with copies of their documentation and security procedures. We like to think of this as a “trust but verify” step in the company/vendor relationship. Once they respond, you can ask them to rectify any deficits in their processes.
For more information about Managed IT Services, Cybersecurity, and IT Compliance, please contact ImageQuest today by visiting their website: www.imagequest.com.