Pratum Blog

Validating Vendors' Cybersecurity Practices

Working with vendors is necessary for many businesses, no matter the size. That often means giving sensitive data to people outside the comfort of your own company walls. While the extra help can be crucial to the growth of your organization, it can also open yourself and clients to possible risk. A mature vendor management program is paramount for the protection of your data.

So where do you start?

First, you need to identify your critical vendors (Learn how in our post “IT Vendor Management”.). You should be devoting extra attention to these vendors because they could be the highest risk to your organization.

How do you know if vendors are protecting your data?

One way to double-check the safety of your information is to look over your vendors’ third party validated reports. These reports are conducted by an outside auditor to review the security programs a vendor has in place.

Compliance reports will reveal the scope, gaps, exceptions, and complementary user entity controls.

  • Scope shows what the report covers. This is where the auditor lays out exactly what is being reviewed in the vendor’s security. This helps a business reading the report know how the results correlate with the way they will work with the vendor.
  • Gaps and exceptions are the items or practices missing from a vendor’s security program. These can be either minor or major. It may take an IT expert to determine what is worthy of concern, and what may be passable.
  • Complementary user entity controls explain what the business is responsible for in the security process. This lays out the procedures a business should have in place to protect itself when working with a vendor.

One example of a third party validated report is a SOC 2 report. While these reports can be a wealth of knowledge for a business, not all organizations will have them available. That means you need to find alternative ways to determine the security practices of your vendors. One way to do so is by asking a lot of questions!

Questionnaires can help when SOC 2 reports are missing.

Questionnaires are a way to evaluate a vendor’s security program. This will include questions about how they plan to protect your data, and what practices are already in place.

There are a few ways you can come up with a valuable questionnaire. They can be written by internal IT staff; just make sure you verify their knowledge of compliance reports. If they don’t feel comfortable creating the questionnaire, another option is outsourcing the job to a cybersecurity firm. Once the questionnaire is sent to the vendor, they should be able to fill out each question with ease. Not being able to do so could raise concerns.

Another red flag would be a vendor who has a SOC 2 report but refuses to share it with the business. Sharing SOC 2 results is a common practice and they should not be withheld from organizations working with that vendor. However, it is acceptable for vendors to request a non-disclosure agreement prior to delivering the report.

Do not settle for knowing a SOC 2 report is there.

Often business owners will ask a vendor if they have a SOC 2 report, but they never actually review the results. Simply having a SOC 2 report done does not mean the vendor is secure. Assess and analyze the results. Then determine if that vendor is going to protect your company’s sensitive data. Your data is one of your most precious assets. Don’t leave it to chance in the hands of unsecure vendors.

If you receive compliance reports, but still have no idea what they mean, there are cybersecurity experts ready to help!

Pratum Acquires Seneca Security - Digital Forensics Firm

Iowa Based Cybersecurity Firm Expands into Minnesota and Wisconsin Through Strategic Acquisition of Seneca Security

[Ankeny, IA, October 22, 2019] Pratum, Iowa-based cybersecurity firm, today announced the acquisition of Seneca Security, a Twin Cities area-based digital forensics firm. Seneca provides forensics expertise to guide clients in internal corporate investigations, criminal and civil litigation, and data breach response.

The acquisition enhances Pratum’s ability to deliver comprehensive security services by increasing forensics capacity and incident response expertise. As clients continue to search for providers that offer a full suite of cybersecurity services, Pratum is evolving its services to remain ahead of demand. The leadership, business model, and geographic location of Seneca Security make it a great fit for Pratum.

“With the acquisition of Seneca Security, we were able to expand our digital forensics practice while simultaneously gaining a foothold in a new market. This is a win for both companies and positions Pratum to continue our strong pattern of growth,” commented Dave Nelson, Founder and CEO at Pratum.

The addition of Seneca immediately establishes Pratum as a contender in the Twin Cities market. Pratum now has employees and offices extending from the northern Midwest down to Southeast Texas.

We are thrilled to be part of the Pratum family. By joining forces, I can remain focused on digital forensics services while contributing to a team that delivers all-inclusive security services.”

Lucas Woodland, Founder and CEO at Seneca Security

Pratum's acquisition of Seneca Security was completed on October 4, 2019, and the parties are executing a seamless transition plan for current customers of Seneca Security.

Contact Pratum
Best Buy Email Gift Card Scam

Gift card phishing campaigns are on the rise. These scams can be believable and tricky to recognize until it’s too late. Being informed on how this type of scam works will keep you better protected and prevent you from saying: “I can’t believe I just lost $1,000! How could I have fallen for something like this?”.

Emily is one example of falling victim to gift card phishing. Trouble started when she received an email from her company’s CEO requesting a favor. The email stated that he wanted her to get five (5) $200 Best Buy™ gift cards and send the codes to him within an hour. It also stated that she must reply via email only, because he was headed into a meeting. Most people do what their CEO asks, so Emily went to Best Buy™ to purchase the gift cards. After they’re paid for, she sends the codes to her CEO just as he asked. Emily thinks nothing of it and heads back to the office. She later bumps into the CEO and asks if he received her email with the gift card codes. Confused, he tells her that he doesn’t know what she’s talking about. With a sick feeling in her stomach, she realizes that someone was imitating her CEO, and she was just scammed out of $1,000.

Emily’s not alone; this has happened to countless people around the world. Phishers are typically skilled at finding an employee’s name and their position within the company, making them an easy target. They prey on their victims by sending an email posing as the CEO or any type of upper management requesting gift card codes. The email instructs the victim to “act quickly”, creating a sense of urgency and less time to notice it’s a scam. It will also require the victim to respond by email only, stating that the sender is headed to a meeting and won’t have phone access. The details of this email can create an illusion of a legitimate request, making it easy to fall for. Unfortunately, by the time it’s discovered that it was a scam, often times the hackers have already spent the money, and there is no way to get it back.

Take these steps to help prevent and protect yourself from email gift card scams:

  • Be Diligent: These emails may seem legit, but always take a moment to check the email address, wording, and general layout for any peculiarities that indicate it’s fraudulent.
  • Trust, but Verify: If you have suspicions about whether the email is valid, the best option is to verify with the sender in person or by phone. Don’t respond to the email!
  • Exercise Caution: Whatever happens, do not give out your phone number or other personal information. This allows the imitator to use your phone number for other reasons and could lead to worse crimes.

Scammers are highly skilled at targeting human nature, which is why many people fall for their schemes. Gift card phishing campaigns are hot right now, but phishers are creative, and it’s only a matter of time before a new campaign rolls out. The best way to protect yourself from scammers is by becoming informed. The more people who recognize their tactics, the less power they have.

Security Awareness Resources
Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.