Remember when Target experienced a massive data breach during the 2013 holiday season? It was a big one with hackers exposing 40 million customers’ credit and debit card information and 110 million customers’ personal information like email and mailing addresses.
The Target data breach led to a class action lawsuit against Target and a $10 million settlement. The company also faces lawsuits from the four major credit card companies. To date, Target claims to have spent $252 million related to this single data breach, which is just one example of the many data breaches companies experience each year and the huge amount of money they cost—not to mention the damage they do to brands’ reputations.
The Data Breach Risk of Third Parties
In Target’s case, the breach occurred when hackers accessed the company’s IT infrastructure via a third-party HVAC contractor that was given permission to connect to Target’s network. It’s a disaster that could happen to many businesses today, including yours.
When you contract with outside vendors and other third parties, you open your data to risk.
For small businesses, the potential for a data breach via a supplier or contractor is significant because most small businesses have to outsource so many functions. They rely on third parties for external expertise and services they can’t handle internally, but they don’t have processes in place to monitor each supplier, contractor, or vendor’s security practices.
Unfortunately, third parties can expose your business data to breaches by accident. For example, they can introduce malware simply by accessing your company’s network with their own software and hardware. Intentional data breaches by third parties are also a real concern. For instance, vendors with poor security of their own could allow unauthorized access to your data and private customer information through their own employees or through hacks to their own systems.
At the very least, to mitigate these data security risks from third parties, you should follow the three key steps below:
1. Change Passwords and Change Them Often
You’ve heard it before, but we’re going to say it again. Change your passwords, and do it often. When your business receives new hardware or software, immediately change the default password or add a new password if no password is provided. At least once a quarter (but more often is better), all systems, hardware, software, etc. should be updated with new passwords.
Keep in mind, internal password changes aren’t enough to stop third party data breaches. You should require that all vendors, contractors, and suppliers that have access to your systems change the passwords on their end often, too.
2. Use 2-Step Authentication
Systems that store private data should be configured so 2-step authentication is required to access them—both internally and externally.
This means employees and third parties accessing systems either while they’re at your location or an offsite location should be required to enter a password and complete a second identity verification step before they can access proprietary data. Not only should this process verify identity but it should also verify the security of the connection to your system.
3. Conduct Ongoing Security Testing
Don’t set up your data security processes and walk away. There is still a lot more to do!
It’s essential that you continually test your manual and automated security procedures to ensure they’re working and that both employees and third parties are following all of the requirements you’ve given to them.
Don’t Let Security Breaches Put Your Business at Risk
Security breaches could put your entire business in jeopardy. As technology continues to develop, and hackers get more sophisticated and creative, a data breach becomes more likely. Data security planning is something you shouldn’t put off until tomorrow because a breach could happen at any moment.