Experian. Facebook. Target. What single major characteristic do these 3, seemingly disparate brands have in common? All 3 suffered significant data exposures or breaches that were traceable back to a third-party relationship.
Don’t be fooled though, they’re not the only ones. In today’s era of hyper cybercautioning, third-party vendors are emerging as the new Achilles heel of data security, introducing the potential for both accidental and intentional data and application exposures.
As defined in our Naked Data whitepaper, accidental exposures result from overlooked security and compliance settings, controls, and configurations that potentially expose your applications and/or data to the public or threat actors. Alternatively, intentional cyberrisks are targeted threats by malicious actors that try to breach your networks defenses, aiming to steal intellectual property, customer records, and other types of critical, personal information.
Understanding that it’s virtually impossible to conduct business without the support of third parties, what options do security teams have?
The short answer is the topic of this installment of our cybersecurity best practices series: make sure the cybersecurity standards of all third-party vendors’ meet or exceed your own organization’s standards.
A chain is only as strong as its weakest link
When you partner with a third-party vendor, you’re signing up for more than just their product or service. Assuming that their participation in your operation requires some level of access to your environment, you’re also accepting the measure of the untreated cyberrisk that may exist as a result of that third party’s security controls, or lack thereof.
Communication is Key for Vendor Risk Management
Customers embody a particularly challenging problem for companies whose business model relies on collecting and reselling large data sets for other companies to use. For companies in this situation, the customers represent a significant potential risk of data exposure, possibly greater than that of traditional partners, suppliers, or affiliates.
Ensuring your company’s cybersecurity is a collaborative effort that requires detailed discussions and decision-making between your leadership and that of your vendor-partner. Key questions to ask include:
- What data will your 2 organizations be required to share? Importantly, be sure to validate that need before any data is shared, or new categories of data are added over time.
- Who will own the responsibility of storing and protecting that data, and will they be authorized to share it with their partners?
- How long will data be retained?
- What happens to data if you terminate your contract with them?
- Has your vendor ever had a cybersecurity audit and penetration test? If so, what were the results?
The following questions are critical; if the answer to any of them is “no,” consider it a red flag:
- Does your third-party vendor have clearly documented and current cybersecurity policies in place?
- Do the policies include processes for the handling of incidents?
- Do they include processes for damage recovery?
- Is any data stored encrypted whether onsite or in offsite backup?
- Does the third party have any documentation they can share certifications as a result of an audit reflecting adherence to any major security framework like NIST, CIS Critical Security Controls or ISO?
- Are the security controls of your vendor validated by an external party?
- Is the third party subject to any compliance mandates or other regulatory frameworks? Can they share the results of any audits or documented processes in pursuit of that adherence? There is nothing wrong with requesting copies of their compliance certifications. You can also follow up with an in-depth questionnaire about their security practices.
- Is penetration testing done on a regular basis?
You’ve asked the right questions, what’s next?
At the end of the day, though, it’s up to you to demand cybersecurity best practices be maintained by your third-party relationships in order to protect your organization, your customers and your brand. So where do you start?
- Conduct a “cyber background check”. It’s surprisingly common for companies to bypass the validation of vendors’ cybersecurity protocols simply on the basis of a familiar name, a credible website, or an impressive product.Instead of accepting circumstances at face value, check to see if your vendor has ever been compromised before. Search online for any indications that the organization has been breached in the past. If you have expertise on your team, investigate chatter about the third party on the Web. If there are indications of an incident, determine how the incident was handled. Was the incident covered up or marginalized? If the answer to that question is “yes,” reconsider your options. It doesn’t hurt to be selective and demanding of third parties.
- Establish a formal vetting process. Though many companies have vendor management or procurement teams that handle the vetting and approval of third-party relationships, their oversight process doesn’t always include cybersecurity. To address the risks posed by cyber, several security groups have been created in recent years.. In 2009, eBay and ING formed the Cloud Security Alliance to promote best practices in secure cloud computing. In 2015, AirWatch partnered with 10 other companies to form the Mobile Security Alliance as a means of mitigating threats within the mobile threat landscape. In 2016, 9 technology companies—Uber, Docker, Dropbox, Palantir, Twitter, Square, Atlassian, GoDaddy, and Airbnb—founded the Vendor Security Alliance (VSA), an independent, non-profit coalition designed to help member companies evaluate the security and privacy of their third-party providers and benchmark acceptable cybersecurity practices.If your company doesn’t have an internal vendor management team—or if you do, but its activities don’t include cybersecurity and compliance—you’d be well-served to consider the assistance or available resources of one of these groups.
- Incorporate cybersecurity into your SLA. Make your cybersecurity expectations clear in a formal Service Level Agreement (SLA) or contract with the third party, including mandatory cybersecurity controls that comply, at the very least, with regulatory and industry standards. Your SLA or contract should include provisions for the right to audit or conduct a security assessment of the service provider’s cybersecurity practices and compliance initially agreed to. Furthermore, the SLA or contract should also document the aforementioned data ownership and management and spell out what a vendor would be held accountable for, as well as the applicable penalties for non-compliance.
- Implement ongoing monitoring and analysis. In addition to proactive vetting, it’s just as important to have resources in place to evaluate the impact of new cyber incidents. There are a number of independent intelligence providers that offer independent, unbiased inputs on the status of third parties. If a third party is hit by a cyberthreat, third-party intelligence feeds will report back so you can determine if these put you at risk. Here’s a short list of firms operating in this space: BitSight, RiskRecon, and SecurityScorecard.
The Ball Is In Your Court
If your company has a vigorous cybersecurity compliance program but you’re doing business with a third party whose program is weak or—even worse—nonexistent, make no mistake: Your business is now just as weak and vulnerable. Today’s marketplace demands a renewed and expanded approach to the cyberrisk posed by third-parties. Cyberrisk, introduced by third parties needs to be continually assessed and monitored.
Keep an eye out for our final installment of the cybersecurity best practices series coming soon!