Stop giving Outside Vendors Permission to Access your Most Sensitive Customer Files!

by | Feb/4/2014

Question to ask your IT Professional: “Who outside of our company can log in as an administrator?” What happened at Target is that Target provided at least one of their vendors with username and password credentials to log in to Target’s corporate network. Attackers stole the username and password credentials from a vendor.

The attackers didn’t need to breach Target, they only needed to breach Target’s vendor.

It is very – yes very – likely that your vendors have username / password access to your network. That means you are counting on your vendors’ security to protect your own.

Your full set of questions to ask your IT Pros:

“Who outside of our company can log in?”
“Is their account disabled right now?”
“If the account is enabled, when is it set to automatically expire?”
“In the past six months, exactly how many times has a log in been absolutely necessary?”
“Do we reset vendors’ passwords and give them a new password every time we re-activate their account?”

This video that explains the reasons and also provides more information about the 5 questions that you should be asking IT about who has access to your systems. The video is in plain English and designed for Presidents, CEOs, CFOs, other top executives, and business owners:

PS: If you are in a hurry and only want to see the “12 questions” without the explanation of why this is important, this video is a short excerpt:



You may wonder, “Just who has access to our network?” Ask IT to show you. Maybe one or more:

-Outside consultants who take care of your network
-Vendors who sold you some of your most important software
-Vendors who maintain a database – perhaps that of your internal paperless office imaging software
-Maybe even “The guy who used to be your IT guy who needs to connect in and help now and then.”

Disable, not delete, vendor accounts. You can re-activate each account when the vendor needs access, but set the automatic expiration date and reset the password each time.

Don’t experience what Target experienced. Don’t trust your system’s security to outside parties who may not keep your password secure.

Do you want to know something funny? Too often, when assessing our customers’ security, it turns out that vendors on your network will have passwords like (if your company is named ACME) “ACME.P@ssw0rd” Guess what the vendor’s password is at their customer named “Tarpit?” You’re right: “Tarpit.P@ssw0rd” That “secure” password with letters numbers and symbols makes it easy for the vendor to “remember the password” for each of their customers. However, it leaves all of their customers, including you, wide open to anyone who knows the “secret strategy,” including every ex-employee the vendor ever had or will have. Even any angry ex-employees who might retaliate. That’s more scary than zombies on your driveway. This threat is real. Take action. Ask your IT Pros those questions now.

Please forward this to your friends and post your comments below…


  1. Michael Harmer

    I understand the spirit of what you are saying but I feel that it is skipping a very necessary step that is critical in addressing this very real concern.

    I think the very first thing to do is to define what is your policy? Business Leaders and IT should work together to develop an implementable and cost effective policy. Once that has been done the Business Leaders should insist on some kind of compliance monitoring or auditing to help assure them that policy is being followed. The reports that come from that processes should be reviewed by the business leaders and any corrective measures that need to be implemented should be mandated.

    This approach greatly lowers the work load on the Business Leaders as it no longer expects them to review hundreds of accounts with the Who, What, Why, When, Where and How information needed to understand the accounts. Instead they will get smaller (if not smaller then there is a serious problem) reports of where IT isn’t adhering to the mandated policy with short answers as to why.

    Additionally, the Business Leaders get the opportunity to engage a third party to do audits against the policy so that they know they are not being mislead by anyone internally.

    Michael Harmer

    • Mike Foster

      Yes, that necessary step of involving the Business Leaders up front, developing the policies and guidelines along with IT, is a crucial step. Thank you for your contribution!

      This step will, as you say, result in much better security as well as a way for the Business Leaders to stay informed via short reports.

      Additionally, perhaps IT will feel more confident since they have guidance via protocols about how to handle requests for higher levels of access. It can be stressful for IT to feel “backed into a corner” by having to make decisions that affect the security of the entire company if, at the same time, the Business Leaders aren’t willing to (don’t have time to) meet and work together with IT in order to create the policy. Thank you Michael!


Submit a Comment

Your email address will not be published. Required fields are marked *