How to Protect Against Cybersecurity Attacks

By Alyssa Verzino

AdobeStock_316469909 (1)

October is Cybersecurity Awareness Month, and we’re here to help. For legal teams, now is a good time to think about the evolving risks in your contracts. Specifically, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) recently recommended that all businesses review contractual relationships with all service providers as a result of two major supply chain attacks that exposed hundreds of companies, dozens of federal agencies, millions of individuals, and an untold number of state secrets to illegal surveillance and data theft. 

A supply chain attack typically targets companies that sell products and services, including Software-as-a-Service (SaaS) vendors that handle your critical business data. If one of your suppliers is compromised, your security can be breached as a result. One of your best defenses against this type of cyberattacks is with contract management solutions.

In their security advisory, CISA identified four key stipulations that should be included in all your vendor contracts.

1. Guarantees the vendor will use security controls that you, the customer, deem

Does the vendor use antivirus? Do they honor the principle of least privilege? Have they undergone a SOC 2 Type II audit? Every question you ask in a vendor security questionnaire or request for proposal, you should adapt into your client contract. After all, if you’re going to down-score or disqualify a vendor for failing to use two-factor authentication for all employee logins, you should contractually demand that two-factor authentication (or better) be a guaranteed practice when handling your data or connecting to your systems. Otherwise, you just encourage vendors to lie on their bid documents. Vague phrases like “industry standard” or “generally accepted” security practices are red flags.

2. Guarantees the vendor will use appropriate monitoring and logging of provider-managed customer systems

Your vendor can’t defend against events they can’t see, and you can’t audit logs that don’t exist. Uptime guarantees require uptime monitoring. Access restrictions should be verified by access logs. Whatever specific performance metrics you’re paying for, you should be able to verify from a logging system -- both because it helps keep your pricing honest, and because it is the first line of defense in detecting unauthorized or suspicious usage of your systems. This should be guaranteed in your contract.

3. Guarantees the vendor will use appropriate monitoring of the service

provider’s presence, activities, and connections to your network

Intrusion detection and traffic monitoring are basic necessities of security, but your awareness of network activity shouldn’t stop at the end of your own systems. You should be able to compare your logs to those of your vendors where your network and theirs intersect, so you can attribute access (and intrusions) effectively, and to also ensure that your vendor is keeping their own house in order. Your contract should ensure these protections.

4. Guarantees the vendor will provide notification of confirmed or suspected security events and incidents occurring on the provider’s infrastructure and administrative networks

You can’t respond to threats you don’t know about, which is why a very explicit notification window should be a non-negotiable item in every vendor contract. If a vendor is compromised, they should tell you in a matter of days, if not hours. And when they notify you, they should be specific about what type of attack was made, what type of access or data was gained by the attacker, and which specific users and accounts were affected.

Now that you know what cybersecurity stipulations should be in your contract, it’s time to discuss where and how to look for them. To learn how you can improve your cybersecurity posture with contract management software, check out this guide. 

Topics: vendor management Cybersecurity