One nice thing about retail network security being front-of-mind is that more resources are popping up to help retail IT teams. Over at his Front Line Sentinel blog, Matthew Pascucci has done a good job of walking through the steps retail network security pros need to take in managing vendor access.
Create an on-boarding process for new vendors. As we work with companies to implement remote access solutions, we find that many lack a documented process for bringing new vendors into the fold. With a team and process in place for evaluating vendors and assessing risks, you can mitigate risk. Once contracts are in place, risk mitigation becomes more difficult.
Have your checklists ready. These can take a lot of different forms, but a list of questions for vendors to answer - where is data being held? what encryption is used? who has access to facilities - needs to be part of the vetting process. As a vendor working with enterprise customers in heavily regulated industries, we are accustomed to seeing these questionnaires. Be wary of any vendor who shies away from completing your questionnaires or does not answer questions directly and succinctly.
Define data parameters. Once a vendor has been vetted have a clear understanding of the data that vendor will be able to access. Be certain that the vendor is not using non-secure protocols to move data - such as FTP - and that data is encrypted in transit and at rest. If you opt to provide a vendor VPN access - instead of using a solution such as Netop's SecureM2M - make sure to have network segmentation in place to restrict the vendor or anyone using the vendor's credentials from accessing other parts of your network.
Prepare for the worst. Your incident response plan cannot be an afterthought. As the Target data breach showed, any organization is vulnerable to attack. Having a cross-team incident response unit, with clearly defined responsibilities, in place before an attack will allow you to, as Matthew says, control the incident before the incident controls you. Going the extra mile and purchasing cyber-insurance makes sense for most organizations.
You can read the complete post here.
At Netop, we've been providing secure remote vendor access for retail, financial services, government and military customers for over thirty years. Our expertise has won us the trust of the world's largest companies. You can learn more about our approach to securing remote vendor access in the webinar we recently conducted with our friends at Toshiba, "What Retail Executives Need to Know to Mitigate Security Risks."