Vendor security checklist: 20 questions to ask a security vendor
If you own a business, choosing a vendor to meet your cybersecurity needs is not an easy task, but it is an important consideration when it comes to safeguarding your customers’ personal and financial information. To help you, we have created this checklist with some questions you should consider asking current or potential vendors.
It is not exhaustive, but it gives you a good start. If you don’t understand some or any of these questions, consider having a business partner or colleague help you interview vendors. And always remember to engage in a service level agreement and contract with the vendor so all expectations are clearly articulated.
20 questions to ask a security vendor
1. Does your company have a pre-employment screening policy for employees and contractors? What is that process? What is your process for training them on security best practices?
2. Does your company have a written control plan that contains the administrative, technical and physical safeguards you use to collect, process, protect, store, transmit, dispose or otherwise handle our data (e.g., information security plan)?
3. Does the system or application which will be storing our company data provide access control mechanisms (e.g., unique user IDs, passwords standards, role-based access)?
4. How will you help me comply with all applicable privacy and security laws for my business?
5. What certifications if any does your company have (ex. ISO 27001, SOC, etc.) and can you provide documentation?
6. Does the system or application provide multi-tenant controls for separation of users and data within the service?
7. Does your company utilize encryption methods for data in transit and data at rest where technically possible and legally permissible?
8. Are files and records reviewed, retained, and purged in accordance with legal requirements, contractual obligations and service level agreements?
9. What is your process for purging all files and records and removing accesses upon completion of the service, task, or contract?
10. What is your commitment to response time if I have a question or emergency? Do you have “off” hours?
11. Does your company have written business continuity/disaster recovery plans, which are tested on a periodic basis?
12. Does your company ensure adequate steps are taken to guard against unauthorized access to our company data (e.g., firewall)? Please list the technology and processes that are in place.
13. Does your company maintain up-to-date versions of anti-virus software, anti-malware, antispyware, and operating systems security patches? Please elaborate.
14. What will your company actively do to prevent security incidents or breaches, and how often do you plan to check for vulnerabilities? Please elaborate.
15. Does your company have a written plan to promptly identify, report, and respond to breaches of security related to our company data (e.g., incident response plan)?
16. Would our company retain ownership of its data at all times?
17. Does your company hire an external audit firm to perform a compliance review of your operational controls?
18. Will third party vendors (e.g., subcontractor, managed shared hosting) used by your company be restricted from having access to the system or application data of our company?
19. Does your company provide assurance (in the form of a written report) of your and your third-party vendor’s security and controls while customer data is being collected, processed and retained?
20. Can your company, and any relevant third-party service provider your company contracts with, send the results of your last security audit?
Hiring a security vendor is crucial to ensuring your customers’ personal and financial information is safe from hackers or other cybersecurity threats. Over the next few months, we’ll share greater insight and tips on other ways to safeguard your business and protect your customers’ financial information. In the meantime, we offer additional resources to brush up on your financial education with ACHIEVE for consumers and small businesses. Click here to start learning today.
How to protect yourself from phishing
Phishing is when criminals use fake emails to lure you into clicking on links or attachments and handing over your personal or financial information, or installing malware on your device. It’s also one of the most common cybercrimes, with an estimated 3.4 billion spam emails sent daily. It’s easy to avoid a scam email, but only once you know what to look for. Below are a few tips on how you can protect yourself from phishing:
Learn how to spot phishing attempts
Your email spam filters typically do a good job at filtering emails, but fraudsters are always trying to outsmart filters. The signs can be subtle, but once you recognize a phishing attempt you can avoid falling for it. Here are some quick tips on how to clearly spot a fake phishing email:
- Contains an offer that’s too good to be true
- Language that’s urgent, alarming, or threatening
- Poorly-crafted writing with misspellings, and bad grammar
- Greetings that are ambiguous or very generic
- Requests to send personal information
- Urgency to click on unfamiliar hyperlinks or attachments
- Strange or abrupt business requests
- Sending e-mail address doesn’t match the company it’s coming from
What to do if you see a phishing email
Don’t worry, you’ve already done the hard part which is recognizing that an email is fake and part of a criminal’s phishing expedition. If it came to your work email address, report it to your IT manager or security officer as quickly as possible.
If you’re at home and the email came to your personal email address. Do not click on any links (even the unsubscribe link) or reply back to the email, and delete the email altogether. You can take your protection a step further and block the sending address from your email program, too.
What to do if you accidentally click a phishing email
If you accidentally click a phishing email, you need to act quickly. Immediately disconnect your device from the internet. If you’re connected via Wi-Fi, locate the Wi-Fi settings on your device and disconnect from the network. If you’re connected using an ethernet cable, unplug it immediately. After disconnecting from the internet, back up your files using an external hard drive, like a USB thumb drive or cloud storage.
After, scan your device for malware. If you’re not technologically savvy, it’s best to leave this to a professional. Some malware can be disguised as a legitimate program. You’ll also want to change your credentials, so your personal or financial information can’t be compromised. If you don’t already, be sure to use different passwords across accounts, so it’s more difficult for scammers to access your information. Lastly, freeze your credit and set up fraud alerts with one of the three major credit bureaus (Experian, Equifax, and TransUnion). Once you’ve notified one bureau, they legally must notify the others.
Scams are becoming increasingly more common, especially in today’s age with technology. It’s important to remain vigilant and continue to educate yourself, friends, and loved ones on new tactics that may arise. This is part four of an 11-part series on cybersecurity and how you can protect yourself online in today’s digital age. For more educational tools and tips, visit our resource center.
How to use passwords to protect your finances
Passwords and strong authentication are like keys to your home but online. Do everything possible to prevent people from gaining access to your password. Strong passwords can be inconvenient, but they’re critical if you want to keep your personal and financial information safe. Below are some simple tips to secure your accounts through better password practices.
Ensure passwords are long, unique, and complex
Whether it’s your online banking or social media account, all passwords should be created with these three words in mind:
- Long – Your password should be at least 12 characters long.
- Unique – It’s easier said than done, but avoid reusing passwords. Each of your accounts needs a unique passphrase.
- Complex– Combine upper- and lowercase letters, numbers, and special characters. Some websites will even let you include spaces.
Focus on positive sentences or phrases that you will remember but also use a combination of letters, numbers, and symbols. Do not use sequential letters or numbers, like “qwerty” or “1234.”
Contrary to popular belief, you do not need to constantly change your passwords. The National Institute of Standards and Technology recommends against frequent password changes in their Digital Identity Guidelines. Just remember to change your password if there is unauthorized access to your account or if it is part of a data breach.
Use a password manager
As our lives expand while we do more online, we’ve gone from having a couple of passwords to today, where we might manage upwards of 100 or more passwords. If you’re like most people, you’re probably using the same passphrase for most of your accounts—and that’s not safe. Around 66% of Americans use the same password across multiple accounts, which can be detrimental to your personal or financial information. If your passphrase gets stolen because of a breach, it can be used to gain access to all your accounts and your sensitive information. But no need to fret—password managers are easy to use and make a big difference.
How does a password manager work?
The best way to manage unique passphrases for the ever-increasing amount of online accounts we own is through a password manager application. A password manager is a software created to manage your online credentials like usernames and passwords. It stores them in an encrypted database and generates new passphrases when needed.
Because the password manager stores all your passwords, you don’t need to memorize login information or keep that secret password paper in your drawer. Now, you only need to remember one password to unlock your vault in the manager app, making things seamless.
What are the advantages of a password manager?
Easy to use
Password managers save time and are easy to use because you need to memorize one password, which makes them easily accessible and quick to load.
Protects your identity
Using the same passphrase across accounts poses a security risk. With a password manager, you’re more likely to use unique, complex passwords for each application. Some password managers will also generate and store secure passwords for you.
Most password managers are compatible with mobile devices, allowing you to access your passwords on the go. Many phones also feature a built-in manager, like iCloud Keychain.
What are the disadvantages of a password manager?
Single point of failure
One significant disadvantage of a password manager is because your accounts can be accessed via a single, strong password, there is a potential risk of your password manager being hacked. While using a password manager, multi-factor authentication is imperative to keeping your data safe.
You’re not protected from everything
While password managers help protect your passwords, they don’t prevent other attacks, like phishing, malware, or keyloggers. Even if you use a password manager, follow best practices and don’t click, open, or download any suspicious links or files. Remember, Georgia’s Own will never ask you for sensitive information via email or text message, such as your account number, Social Security number, or password.
Passwords are the first line of defense in protecting your personal and financial information. Using a strong passphrase and a password manager are just a couple of ways to safeguard your sensitive information from fraudsters. This is part three of an 11-part series on cybersecurity and how you can protect yourself online in today’s digital age. For more educational tools and tips, visit our resource center.
6 steps to protect your business’s financial data
As a business, you must protect your consumers’ financial data. If your company’s sensitive, financial information is hacked, you could suffer from financial loss and brand mistrust or damage—and possibly lose customers. Ensuring the safety of your customers’ financial information can be daunting, especially if you’re unsure where to start. Below are six steps you need to take to protect your business’s financial data:
1. Identify critical assets and systems
The first step in protecting your business from cyber threats and securing financial data is to identify the “crown jewels” of your business—the assets and systems critical to your business. This data is considered a high-value target for cybercriminals or without which your business would have difficulty operating.
To start, create a detailed inventory of data and physical assets, and update it routinely. Record the manufacturer, make, model, serial number, and support information for hardware and software. For software, know the specific version that is installed and running. You should also know where data and technology are stored and who can access both.
2. Protect your data and devices
Once you’ve identified your data and devices, how do you protect them? Ultimately, your goal is to build a culture of cybersecurity that includes employees knowing how to protect themselves and the business. You should also understand the cyber risks as your business grows or adds new technologies or functions.
3. Keep your software up to date
Installing the latest security software, web browser, and operating system is the best defense against viruses, malware, and other online threats. Regularly updating your software will ensure your company is not at risk of being exposed to security flaws.
Many software programs will automatically connect and update to defend against known risks—turn on automatic updates if that’s an available option. Automatic software updates allow you to get the latest security fixes as quickly as possible without doing anything.
4. Use strong authentication procedures
Use a robust authentication process, like two-factor or multi-factor authentication, to protect access to accounts and ensure only those with permission can access them. Multi-factor authentication (MFA) adds layers of security, typically by sending a one-time password generated in real-time, making it harder for hackers to crack. MFA can reduce security breaches by up to 99%—allowing you to protect your business’s sensitive information.
This also includes enforcing secure passphrases. A strong password is at least 12 characters long and combines letters, numbers, and symbols. Do not use sequential letters or numbers, like “qwerty” or “1234.” It’s also recommended to use separate passwords for different accounts. Using the same password for every account could be detrimental in a security breach. If you use the same password for your social media account and (for example) your POS system, your customers’ financial information could potentially be stolen if your social media accounts were hacked.
5. Back up data
Back up your data by implementing a system—either in the cloud or via separate hard drive storage—that regularly makes electronic copies of essential information. If you have a copy of your data and your device falls victim to cyber threats, you can restore data from a backup.
Use the 3-2-1 rule as a guide to backing up your data. The rule is to keep at least three (3) copies of your data and store two (2) backup copies on different storage media, with one (1) of them located offsite. Limit access to data or systems only to the employees who require it to perform the core duties of their jobs.
6. Keep a clean and secure device
Your company should have clear rules for what employees can install and keep on their work computers. Employees installing unapproved software poses a major threat and could compromise sensitive data.
Employees should also know not to open suspicious links in emails, tweets, posts, online ads, messages, or attachments—even if they know the source. Employees should also be instructed about your company’s spam filters and how to use them to prevent unwanted, harmful emails. Encourage employees to keep an eye out and say something if they notice anything strange on their computers.
Protecting your customers’ sensitive financial data is one of the most critical aspects of owning a business. Over the next few months, we’ll share greater insight and tips on other ways to safeguard your business and protect your customers’ financial information. In the meantime, we offer additional resources to brush up on your financial education with ACHIEVE for consumers and small businesses. Click here to start learning today.
10 common cybersecurity misconceptions
Running a business takes dedication—from day-to-day tasks and managing your employees to managing finances, a business owner wears many hats. When considering all the responsibilities at hand, cybersecurity may not be at the forefront of your mind. However, it’s a critical component that needs to be considered. You need to protect your employees’ and customers’ personal and financial information—and protect your business’s hard-earned cash. Below are ten common cybersecurity misconceptions that you need to be aware of, as well as the actions you can take to safeguard your business.
1. My data isn’t valuable
Organizations of all sizes maintain (or have access to) valuable data worth protecting. Such data may include, but is not limited to, employment records, tax information, confidential correspondence, point-of-sale systems, and business contracts. All data is valuable. Assess the data you create, collect, store, access, and transmit. Then, classify that data by its level of sensitivity so you can take appropriate steps to protect it.
2. Cybersecurity is a technology issue
Organizations cannot rely on technology to secure their data. Cybersecurity is best approached with a mix of employee training, clear and accepted policies and procedures, and implementation of up-to-date technologies such as antivirus and anti-malware software. Securing an organization is the responsibility of the entire workforce, not just the IT staff. Educate every employee (in every function and at all levels of the organization) on their responsibility to help protect information. The National Institute for Standards and Technology offers a guide with more information on creating, developing, and implementing an employee awareness training program.
3. Cybersecurity requires a large financial investment
A robust cybersecurity strategy does require a financial commitment if you are serious about protecting your organization. However, there are many steps you can take that require little or no financial investment.
Create and institute cybersecurity policies and procedures, restrict administrative and access privileges, enable multi-factor or two-factor authentication, train employees to spot malicious emails, and create backup manual procedures to keep critical business processes in operation during a cyber incident. Such procedures may include processing payments in case a third-party vendor or website is not operational. The “Quick Wins” sheet created by the National Cybersecurity Alliance is an excellent starting point for steps you can begin implementing.
4. Outsourcing work to a vendor will wash your hands of security liability in the case of a cyber incident
It makes complete sense to outsource some of your work to others, but it does not mean you relinquish responsibility for protecting the data a vendor can access. The data is yours, and you have a legal (and ethical) responsibility to keep it safe and secure.
Ensure you have thorough agreements in place with all vendors, including how company data is handled, who owns the data and has access to it, how long the data is retained, and what happens to data once a contract is terminated. You should also have a lawyer review any vendor agreements.
5. Cyber breaches are covered by general liability insurance
Many standard business liability insurance policies do not cover cyber incidents or data breaches. Speak with your insurance representative to understand if you have any existing cybersecurity insurance and what type of policy would best ﬁt your company’s needs. The Federal Trade Commission’s (FTC) Small Business Center has more information on how to handle this.
6. Cyberattacks always come from external actors
Simply put, cyberattacks do not always come from external actors. Some cybersecurity incidents are caused accidentally by an employee—such as when they copy and paste sensitive information into an email and send it to the wrong recipient. Other times, a disgruntled (or former) employee might take revenge by launching an attack on the organization.
When considering your threat landscape, it is crucial not to overlook potential cybersecurity incidents that can come from within the organization and develop strategies to minimize those threats. The Cybersecurity and Critical Infrastructure Agency offers free resources to help you mitigate the risk of a cyberattack.
7. Young people are better at cybersecurity than others
The youngest person in the organization often becomes the default IT person. However, age doesn’t correlate to better cybersecurity practices. Before giving someone the responsibility to manage your social media, website, network, etc., educate them on your expectations of use and cybersecurity best practices.
8. Compliance with industry standards is enough for a security program
Complying with the Health Insurance Portability & Accountability Act (HIPAA) or Payment Card Industry (PCI), for example, is a critical component to securing sensitive information, but simply complying with these standards does not equate to a strong cybersecurity strategy for an organization. Use a robust framework, such as the NIST Cybersecurity Framework, to manage cybersecurity-related risk.
9. Digital and physical security are separate
Many people narrowly associate cybersecurity with only software and code. However, do not discount physical security when protecting your sensitive assets.
Assess your office’s layout and how easy it is to gain unauthorized, physical access to sensitive information and assets (e.g., servers, computers, paper records). Once your assessment is complete, implement strategies and policies to prevent unauthorized physical access. Policies may include controlling who can access certain areas of the office and appropriately securing laptops and phones while traveling. Here are some steps you can take to protect the information in paper files and hard drives, laptops, point-of-sale devices, and more.
10. New software and devices are automatically secure when I buy them
Just because something is new doesn’t mean it’s secure. The moment you purchase new technology, secure the device and ensure it is operating with the most current software. Immediately change the manufacturer’s default password to a secure passphrase. When creating a new passphrase, use a lengthy, unique phrase for the account or device. Did you sign up for a new online account? Be sure to immediately configure your privacy settings before using the service.
Dispelling the above cybersecurity misconceptions is essential to securing your business’s personal and financial information. Over the next few months, we’ll share greater insight and tips on other ways to safeguard your business. In the meantime, we offer additional resources to brush up on your financial education with ACHIEVE for consumers and small businesses. Click here to start learning today.
What is multi-factor authentication?
Multi-factor authentication (MFA) (also known as two-factor authentication or two-step verification) is a security measure that requires anyone logging into an account to navigate a two-step process to prove their identity. MFA makes it twice as hard for criminals to access an online account and obtain personal or financial information. It’s an easy protective measure that increases your security, whether it’s for your social media accounts or online banking.
How does multi-factor authentication work?
By adding a step when logging into an account, multi-factor authentication greatly increases the security of your account. Here’s how it works: Just like logging into your account, the first step is giving your password or passphrase. The second step is to provide an extra way of proving your identity, like entering a PIN, texting/emailing a code to your mobile device, or accessing an authenticator app.
What does multi-factor authentication include?
There are various ways online organizations implement two-factor authentication. Some of the most common methods include PIN or verification codes, security questions, or biometrics—below is a list of popular types of multi-factor authentication:
- An extra PIN (personal identification number)
- The answer to a security question like, “What’s your favorite pet’s name?”
- An additional code, either emailed to an account or texted to a mobile phone
- A biometric identifier, like facial recognition or a fingerprint
- A unique number generated by an authenticator app
- A secure token, which is a separate piece of hardware (like a key fob that holds information) that verifies a person’s identity with a database or system
What type of accounts offer MFA?
Not every account offers MFA, but it’s becoming more popular. It’s seen on many accounts that usually hold either valuable financial or personal information, like banks and financial institutions, online stores, or social media platforms. Any place online that is storing your personal information (especially financial information) or any account that can be compromised and used to trick or defraud someone else should be protected with MFA. You should use MFA everywhere you can!
What are the pros and cons of multi-factor authentication?
Multi-factor authentication was introduced to make it harder for hackers to access systems or applications and protect users from fraud. While the benefits outweigh the drawbacks, there are cons to multi-factor authentication. The downside is that some users often forget answers to security questions or may lose their tokens. Below are some additional pros and cons of MFA:
Pros of MFA
- Adds layers of security
- Uses one-time passwords that are randomly generated in real-time, making it harder for hackers to crack
- Allows for easy setup
- Can reduce security breaches by up to 99%
- Mitigates password risks, like duplicated passwords
Cons of MFA
- A phone is needed to access text message codes, and phones can easily be lost or stolen
- Hardware tokens can get lost or stolen
- MFA can fail if there is a network outage
- Phishing is still an issue, as hackers can create phishing emails that mimic MFA texts or emails
Following the above steps is essential to securing your personal and financial information. This is the third in a series of cybersecurity education posts to help you stay safe online. Over the next few months, we’ll share greater insight and tips on other ways to safeguard your online presence. In the meantime, we offer additional resources to brush up on your financial education with ACHIEVE for consumers and small businesses. Click here to start learning today.