Below is a letter you can send your third-party service providers if you want to give them pointers on being more secure. We’ve done the work to make this quicker for you.
None of these are unreasonable for you to request. You and your IT team can customize the letter to fit the relationship best. These recommendations apply even if a company doesn’t have servers and do all of their work in the cloud.
Dear – you fill in the blank,
We are checking in with all of our valued service providers, including you. If your organization suffers a significant security incident, you might not be able to provide the service we count on from you. A security breach at your organization could impact our business too. In the interest of helping you protect your organization, here are some guidelines:
You must have a robust disaster recovery plan. You must be able to recover quickly if you lose access to your information. Your IT team needs to practice restoring because experiencing ransomware is not the best time to practice restoring all of your data for the first time.
It is essential that your IT team, or IT company, manage the security of all of your computers, including the computers any work from home employees use. Your IT professionals need to monitor the security update status, manage anti-virus, and perform other administrative functions that help protect the computers that your workers use.
Please discuss with your IT team or IT company how quickly they deploy critical security updates to your computers. Security updates sometimes cause issues, so it is best to test updates, especially server updates if you have servers, before deploying them. Because the updates often prevent attacks, there is a level of urgency.
Remove programs you aren’t using. Attackers sometimes gain access to your systems through programs, and they cannot exploit a program that’s not installed. Flash is an example of a program installed on many computers, but it provides a security risk. Your IT team can give you the details and identify other programs they can remove from computers to increase security.
Ask your IT team to make sure to make your user accounts a “standard local user” on your computers. This one step can increase your security immensely. By default, users are local administrators on their computers. This setting applies to Mac and Windows computers. If an attacker breaks into their computer, they will have elevated abilities to conquer your security protections if the user is a local administrator.
Enable two-step verification on all the websites that require a login. In its most basic form, once a two-step login feature is enabled, when a user enters a username and password, their phone will receive a text message with a code to complete the login process. This added protection helps you tremendously if an attacker steals one of your website passwords. The setting is usually in the security settings of the website. Three places two-step login is essential:
-SaaS programs your users run in the cloud. Zoom, QuickBooks Online, an ERP, G Suite, Office 365, and SalesForce are SaaS offerings.
-Remote Desktop Connections
Realize that connecting from public networks, including coffee shops and hotels, is risky, even if the user uses a VPN. It is more secure to use a phone or personal hot-spot to connect a computer to the Internet. The added phone charges may be lower than you expect, especially if you change to a plan with unlimited data.
Please forward this to your service providers; it can help prevent big heartaches and expenses for you and them.