Are your business partners secure?

Are your business partners secure? Without giving too much thought to the question, you nod for a moment saying to your self “sure, they are” by, then the confusion starts to wind its way into your brain. Are you safe in the assumption that your business partners are in fact secure? Further to that end, do you have a clear understanding as to who and how they are connecting into your network?

I’ve had the opportunity to work in an environment in the past that had hundreds of business partners connecting into our enterprise. Our team took the step of putting together an effort to look into these connections. The first thing that struck me out of the gate was the absence of a defined inventory, a risk ladder and any sort of verification.

This was going to require a significant amount of Pepto.

One of the first things that you need to ensure is in place is a defined inventory of your business partners. You need to know when the contract will be in place including a clear end date. This may seem incredibly simple but, I’ve learned through trial and error(s) that many organizations do not do a very good job of this task. In another shop that I worked I lifted a tile in the data centre and almost dropped it on my foot when I saw something under the floor.

It wasn’t a rat but, that has happened before as well. No, it was a Cisco router blinking back at me from under the floor. Um, yeah. After a great deal of consternation and phone calls it was discovered that this connection was going back to a former business partner now turned competitor. You could hear a pin drop when we puzzled out that little gem.

First off you need to have an inventory. You need to ensure that your inventory is clear and complete. It will constantly be changing as business agreements are renewed, changed, expired. But, this will go a long way to helping you deal with compliance, audit and overall security.

The next item to consider once you have your inventory in place is implementing a risk ladder. This way you can roll out a clear defined repeatable process for dealing with the intake and exit of your business partners. Using your inventory you could then go through and assign risk ratings based on the partners you’re working with. This would require a proper process being built out mind you. The Ron Popeil “set it and forget it” method will never work in this case.

Then we arrive at the “Trust (but test) and verify”. You have your inventory of business partners. You have your risk ratings. But, have you tested what has been implemented? I’ve made the mistake in the past of accepting what I was told had been done was in fact the case. I was sorely disappointed to discover that had not been the case at all. Frustrating to no end. But, I learned my lesson from this and was able to recover before having to explain to the C-suite why we were all over the front page.

These are just some of the points that you need to keep abreast of.You cannot afford to be mistaken and have your data leave out the back door. Be sure to test all of your business partner connections. There is much more to dive into on this subject and I will address more of this with future posts.

(Image used under CC from flazingo_photos)

Copyright © 2015 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.