Updated: Forward these 7 Minimum Security Requirements for Your Small Service Providers

by | Jul/23/2018

Many organizations outsource to service providers that are not cyber-secure. It is common for companies to experience a significant security breach that originated at a third party. Just ask Target. Forward this request to your small outsourced providers asking them to do these seven things.
This newsletter is much more lengthy than usual, but it is essential to provide you with comprehensive information to forward to your smaller service providers.

Of course, large service providers are expected to do much more for their security. But what about your service providers that have 10 or fewer employees and cyber-security has never been appropriately addressed? The chances are that they are hungry for some detailed security guidance. Once they implement some or all of the following recommendations, they can sleep better at night too.

None of these are unreasonable for you to request. And, a massive benefit to your service provider is that they can improve their cyber-security and that helps their own company and other customers, too. Everyone wins!

If you want to, send your contractors and service providers something like this. You may want to ask your IT team to review and perhaps edit it since your organization may already have security measures in place that eliminate the need for your providers to perform some of these recommendations:

Dear – you fill in the blank,

Cyber-security is a big concern these days, and we are checking in with all of our valued service providers, including you.

Our cyber-security depends to some degree on your level of cyber-security.

Below are cyber-security recommendations for you to follow in your organization. You may fall under laws and regulations that are even more stringent than these.

If you have any questions or decide not to follow the recommendations for any reason, please say so, and that will start a dialogue that can be beneficial for all parties.

First and foremost, you should always have great backups, and the ability to restore, because you accept full responsibility if you experience any problems as you implement these recommendations.

Unless you use patch management, and maybe nobody ever told you what that is, then to help ensure you are receiving protective patches from Microsoft and Apple, strongly consider enabling the automatic update feature in Windows and Mac OSX. There is a good chance it is activated already, but be sure. Installing critical security patches is essential since it increases security dramatically. There is always a small risk that a security patch could cause problems, but not installing a critical security update can put you at a much higher risk.

Patch your browsers too. Browser security patches are critical since, if a user clicks a malicious link in an email message, the attack usually makes a mad dash to poison that user’s browser quietly.

Uninstall all programs on each computer that you don’t think you will use. It is ok to start with the programs that are easy to recognize and skip the rest for now. That speeds and simplifies implementing this recommendation. Every program installed on a computer is a potential toe-hold for an attacker to gain access to a system. Worst case, if you delete an application now that you need later, you can usually re-install it quickly and easily.

In particular, remove Java and Flash. These are two tools that are frequently hacked and are likely unnecessary for your organization. Leaving them installed creates a significant security risk in your organization. If you later discover that you do need either, you can reinstall them with the newest version. Make sure to only get Java from java dot com and Flash from get dot adobe dot com forward-slash flash player Do not insert the space between the words flash and player.

If you do leave Java or Flash installed, investigate the click-to-play option that could protect you from unauthorized attacks based on Java and Flash.

Make sure to make your user accounts a “standard user” on your computers. Implementing this recommendation is slightly more complicated, especially if you are unfamiliar with creating new users. But it is included in these recommendations because it can increase your security immensely. If you use a third party IT company, you may choose to ask them to do this part for you.
The necessary steps for Windows and Mac: 1) Create a new local user account 2) Promote that user to be a local administrator 3) Demote the computer user’s current account to a standard user and use that account. Perform this change on each computer separately. It is rare that a user will notice there has been a change. If you ever need administrative access to a computer, you can use the new user account that you created and promoted to have administrative access. In rare circumstances, a program you use may require each user to be a local administrator. Needing to configure users to be local administrators is unfortunate indeed since it is so damaging to security.

The previous recommendation is all about local user accounts. Larger organizations especially will use something called the Active Directory. However, even when using the Active Directory, this recommendation about local administrators still applies.

Enable two-step verification on all the websites that require a login. In its most basic form, once two-step login is turned on, then when a user enters a username and password, their phone will receive a text message with a code to use to complete the login process. This added protection helps you tremendously if an attacker steals one of your website passwords. The setting is usually in the security settings of the website.

Even if your screen is set to lock after a brief period automatically, an insider can easily bypass that will artificially jiggle the mouse. The computer will think you are there, even if you are not, and the computer will not lock automatically. Before you ever move away from your computer, manually lock the screen. One way to quickly accomplish locking the screen in Windows is to hold down the Windows key and then tap the L key. On Macs, utilize the hot-corners feature to lock the screen when you move the mouse to one of the corners of your screen. Require a password to unlock the screen.

Before you send us a file that contains sensitive information, encrypt the file. It is straightforward to encrypt Microsoft Office and PDF documents using settings within the software. If you are emailing a file, do not email the password too, not even in a separate email message. If an attacker has access to the email accounts, they will have both the file and the password. Instead, exchange the passwords via a phone call or a text message. Unless required by regulation or law, use a passphrase at least 15 characters long, but you do not need to use the upper case, lower case letters, numbers, and symbols. Making passwords complex interferes with productivity and doesn’t help as much as using longer passphrases. An example passphrase could be: thanks for being secure. Just be sure you still comply with rules and regulations.

Know that it is an excellent practice to avoid connecting to Wi-Fi services at hotels, airports, coffee shops, etc. It is more secure to use a phone or personal hot-spot to connect a computer to the Internet. The added phone charges may be lower than you expect, especially if you change to a plan with unlimited data.

Please forward this to your smaller service providers; it can help prevent some big heartaches and expenses for you and them both.