Third-party contractors and vendors are increasingly necessary for doing business, but are typically the weakest links in the cyber security chain. Just look at the headlines.

• • A compromised contractor login is believed to be behind a pair of recent breaches at the U.S. Office of Personnel Management. The first breach exposed the personal information of more than four million government employees, and the second breach’s impact has now reached more than 20 million records.

• • While this may be common knowledge, it’s worth noting that the famous Target breach from a few years ago was traced to network credentials stolen from an HVAC contractor.

• • More recently, a new report from security scoring company BitSight says two well-known retail and financial companies — both of which had multiple breaches last year — have better network security controls than 25 defense contractors, including big names like Boeing, Raytheon and Lockheed Martin.

Four Tips for Maintaining Network Security

While it may not be possible to roll back your use of contractors, you can still change how your business interacts with them and regulates their network access.

1. 1. Establish documented security requirements for your vendors that are specific and realistic. It’s not uncommon for companies adhering to some form of government compliance — HIPAA, ISO 27001, etc. — to require the same standards from their downstream vendors. However, it may not be helpful to just pass those vendors a copy of the regulations because they’re not always specific enough.

      They might give guidelines such as “Security audit logging shall be implemented…”, but not describe what needs to be in the logs. Those same regulations may also say that log files must be reviewed daily, which is an unrealistic expectation. Reading log files is a monotonous job. Asking for it to be done daily is asking for it to be half done, either because whoever was tasked with the job fell asleep or just quickly skimmed them in order to check it off a list of daily tasks. And while it may be difficult, you should ask your contractors to require these same measures from their vendors.

1. 1. Create an agreed-upon accountability system. If you are creating requirements, how do you make sure those requirements are actually being followed? On-site visits? Regular, automated reporting? Some form of documentation? Obviously, this isn’t a question with a single answer. The type of accountability system used will have to be determined on a case-by-case basis.

      Accountability will be easier, though, if you …

1. 1. Maintain open and honest communication. Not only does this make requirements and standards easier to track, but it also ensures that ideas for present and future security measures flow freely.

      This makes security better for everyone, and perhaps most importantly, makes it easier to reach out when an incident or breach occurs with either party.

1. 1. Emphasize an understanding of the basics. Finally, if your vendors have direct access to something on your network — something that requires login credentials, for instance — special emphasis should be placed on requiring your vendors’ employees to have an understanding of basic personal security and types of attacks.