If Target had been more diligent in vetting its vendors, it would have avoided such damage: The company’s refrigeration contractor, Fazio Mechanical, was the vector attackers used to access Target’s information.
This scenario isn't limited to multi-billion-dollar businesses. Such breaches happen frequently and underscore the importance of understanding the cybersecurity strengths and weaknesses of the companies you work with prior to transactions, and also reinforcing your own.
In order to continue to do business and exist in supply chains, organizations should be expected to be asked about their practices and present themselves as trusted partners. This often comes in the form of Due Diligence Questionnaires (DDQs).
Organizations issue DDQs to vet potential partners prior to transactions and assess possible liabilities. All aspects of the recipients are reviewed including their cybersecurity. While DDQs don’t reveal all vulnerabilities, they can signal whether companies should move forward on a deal, or negotiate its details further, or abandon it altogether.
Below is an explainer detailing what you need to know about DDQs.
DDQs & Cybersecurity
As a whole, DDQs center on compliance. The goal of issuing a DDQ is to discover as much information as possible prior to signing off on transactions, and prevent surprises such as the one Target experienced. This data includes financials, legal and business activities, and more.
Given the mounting cyber threats facing industries today and the devastating effects they can have when realized, exceptional cybersecurity has become imperative. Most DDQs, therefore, devote portions to specifically assessing cybersecurity.
In fact, it was described as a “bedrock component” in a recent article published by the Daily Business Review.
DDQs may include a wide variety of questions about cybersecurity. Common questions companies should be prepared to answer include:
- Has your company undergone a penetration test or vulnerability assessment of your environment, performed by a professionally or nationally recognized third party?
- Are there any specific activities undertaken by your company, such as an information security awareness program?
- Are users at your company subject to a rigorous ‘sign-on’ process before accessing target systems?
- Does your company have a computer emergency response team (CERT) set up to handle hacking and other system breaches?
- Does your company policy provide for a formal, comprehensive physical and environmental security program with protocols and procedures currently in effect and actively monitored and enforced by the organization?
Your answers will reveal much about the health of your organization, and if you find your answers lacking, you’re likely to lose out on business. Therefore, it's important to perform a preemptive assessment of your organization before a possible partner requests one. The earlier you can identify weaknesses in your posture, the more time you have to mediate them and earn more business.
Conversely, a DDQ can also be a valuable tool to help you avoid vulnerable partners and close lucrative transactions with more worthy organizations.
Do you have questions about whether or not your business is prepared to adequately complete a cybersecurity DDQ? Are you concerned about ever-evolving cyber threats targeting you and your clients? Cybersafe Solutions can help.
The right cybersecurity partner can make all the difference when it comes to DDQs. Their experts should have extensive experience in addressing any concerns, and working with a managed service provider that implements 24/7/365 network, cloud and endpoint monitoring—utilizing cutting-edge technologies and top-tier threat intelligence—will give you the confidence to pursue business opportunities while retaining peace of mind.
From small- and mid-sized businesses to large critical infrastructures, Cybersafe partners with businesses, organizations, and individuals to prevent, detect, and respond to cyber threats and attacks that are continuously evolving.