SECURITY HINTS & TIPS: Vendor Security

The DOs: Safe Interaction with External Partners

🤝 Verify Identity Before Sharing Any Data
Before sending files or granting access to a third party, confirm the identity of the person via a trusted communication channel (e.g., a phone number or verified internal directory listing).

🔒 Use Multi-Factor Authentication (MFA) On All Vendor Portals
If a vendor provides a system, application, or portal you must log into, ensure MFA is enabled. Treat external credentials with the same security as your internal accounts. If they don’t offer MFA, notify your supervisor.

📁 Only Use Company-Approved Sharing Tools
When sending files to third parties, use company-sanctioned file sharing services (e.g., Google Drive). Never use personal cloud storage or unencrypted email attachments for sensitive data.

🚨 Report Suspicious Vendor Communications Immediately
If an email or message from a known vendor looks slightly “off,” asks for unusual data, or contains urgent demands, stop and report it to the Cybersecurity team immediately.

🚪 Log Out of Vendor Systems When Finished
Always formally log out of external vendor applications and portals, especially if they handle customer data or company confidential information. Closing the browser tab is often not enough.

The DON’Ts: Avoid These User-Based Risks

❌ DON’T Use Vendor Credentials on Internal Systems
Never use the password you created for a vendor’s portal or system on any of our internal corporate accounts (e.g., email, VPN, HR system). Use a unique password for every service.

🖥️ DON’T Grant Unrestricted Screen Sharing Access
When troubleshooting with a third-party support agent, ensure you only share the necessary screen or application. Close all unnecessary tabs and documents before granting access.

🔑 DON’T Bypass Access Controls for Convenience
Never share your personal credentials (logins, API keys) with a third party, even if it seems faster than going through the proper access request process.

🚫 DON’T Click “Unsubscribe” or “Update Profile” in Unexpected Emails
Phishing campaigns mimic vendor communications. If you receive an unexpected email requesting that you update your vendor profile, navigate directly to the vendor’s website to make the changes.

🛑 DON’T Leave Vendor Access Open After a Project is Complete
If a consultant or vendor has finished their project, ensure their access permissions to our shared files, projects, or applications are formally revoked by notifying your manager or IT.

ISMS 27001: 05.21 Vendor Management Policy