Google. Facebook. Target. What single major characteristic do these 3, seemingly disparate brands have in common? All 3 suffered significant data breaches that were traceable back to a third-party vendor.
Don’t be fooled though, they’re not the only ones. In today’s era of increasing cybersecurity risks, third-party vendors are emerging as the new Achilles heel of data security. They can augment the corporate infrastructure at almost any point, from technology support and analytics to HR, logistics, and sales. However, in the meantime, they often gain access to highly sensitive data. And, make no mistake, bad actors are setting their sights on these organizations, as they are often the gateway into larger enterprises.
Understanding that it’s virtually impossible to conduct business without the support of third parties, what options do security teams have? This article will cover the best practices enterprises should follow as part of their vendor management process to ensure that they aren’t leading any security backdoors into your enterprise IT environment.
The short answer of what you should do: Make sure the cybersecurity standards of all third-party vendors meet or exceed your own organization’s standards.
A Chain Is Only as Strong as its Weakest Link.
When you partner with a third-party vendor, you’re signing up for more than just their product or service. Assuming that their participation in your operation requires some level of access to your network, you’re also accepting the full measure of the risks associated with them holding your data. This is especially true of SaaS vendors that your company may use to augment your operational capabilities.
If you believe that your own cybersecurity controls are enough to thwart a malicious actor lurking outside a vendor’s ecosystem, that is a good start. However, the experience of mega-brands like Google, Facebook, and Target should be enough to make you think again. In fact, the aforementioned large breaches suffered in recent years tended to originate within third-parties, not the breached companies themselves. As noted in our recent Naked Data whitepaper, 6 out of 11 major recent breaches analyzed by our teams were due to poor security by an affiliate, partner, or customer of a larger organization.
Questions for Your Vendor Risk Management Process
Ensuring your company’s cybersecurity is a collaborative effort that requires detailed discussions and decision-making between your leadership and that of your vendor-partner. Key questions to ask include:
- What data will your 2 organizations be required to share? Importantly, be sure to validate that need before any data is shared, or new categories of data are added over time.
- Who will own the responsibility of storing and protecting that data, and will they be authorized to share it with their partners?
- How long will data be retained?
- What happens to data if you terminate your contract with them?
- Has your vendor ever had a cybersecurity audit? If so, what were the results?
The following questions are critical; if the answer to any of them is “no,” consider it a red flag:
- Does your third-party vendor have clearly documented and current cybersecurity policies in place?
- Do they include processes for the handling of cyberincidents?
- Do they include processes for damage recovery?
- Is their onsite data and any offsite backups encrypted?
- Does your vendor have security certifications? There is nothing wrong with requesting copies of their compliance certifications. You can also follow up with an in-depth questionnaire about their security practices.
- Are the security controls of your vendor validated by an external party?
- Is penetration testing done on a regular basis?
You’ve Asked the Right Questions, What’s Next?
Security awareness and training are the most fundamental components of enterprise self-protection. Formal programs, however, can be complex and costly, depending on the nature and size of your enterprise—and not always easy to share with vendor-partners. At the end of the day, though, it’s up to you to demand the level of security maintained by your third-party vendors in order to protect your organization, your customers and your brand. So where do you start?
- Conduct a “cyber background check”
It’s surprisingly (and scarily) common for companies to bypass the validation of vendors’ cybersecurity protocols simply on the basis of a familiar name, a credible website, or an impressive product. Instead of accepting things at face value, check to see if your vendor has ever been compromised before—reviewing the chatter on the Dark Web is a great place to start. If so, was the incident covered up or marginalized? If the answer to that question is “yes,” reconsider your options. It doesn’t hurt to be selective and demanding of vendors—and the last thing any business needs is a partner that doesn’t own up to its shortcomings.
- Establish a formal vetting process
Some companies have vendor management teams that handle the vetting and approval of third-party vendors, but their oversight process doesn’t include cybersecurity. Several security groups have been created in recent years to address these risks. In 2009, eBay and ING formed the Cloud Security Alliance to promote best practices in secure cloud computing. In 2015, AirWatch partnered with 10 other companies to form the Mobile Security Alliance as a means of mitigating threats within the mobile threat landscape. In 2016, 9 technology companies—Uber, Docker, Dropbox, Palantir, Twitter, Square, Atlassian, GoDaddy, and Airbnb—founded the Vendor Security Alliance (VSA), an independent, non-profit coalition designed to help member companies evaluate the security and privacy of their third-party providers and benchmark acceptable cybersecurity practices.
If your company doesn’t have an internal vendor management team—or if you do, but its activities don’t include cybersecurity and compliance—you’d be well-served to consider the assistance of one of these groups or a trusted expert like Armor. Armor’s approval process for third-party vendors is designed to ensure that each one passes the litmus test for security compliance.
- Incorporate cybersecurity into your SLA
Make your cybersecurity expectations clear in a formal Service Level Agreement (SLA) with your provider, including mandatory cybersecurity controls that comply, at the very least, with regulatory and industry standards. Your SLA should include provisions for the right to audit or conduct a security assessment of the service provider’s cybersecurity practices and compliance initially agreed to in the contract. Furthermore, the SLA should also document the aforementioned data ownership and management and spell out what a vendor would be held accountable for, as well as the applicable penalties for non-compliance.
- Implement ongoing monitoring and analysis
In addition to proactive vetting, it’s just as important to have resources in place to evaluate the impact of new cyberincidents. There are a number of independent intelligence providers that offer independent, unbiased inputs on the status of third parties. If a third party is hit by a cyberthreat, third-party intelligence feeds will report back so you can determine if these put you at risk. Here’s a short list of firms operating in this space: BitSight, RapidRatings, RiskRecon and SecurityScorecard.
The Ball Is in Your Court
If your company has a vigorous cybersecurity compliance program but you’re doing business with a vendor whose program is weak or—even worse—nonexistent, make no mistake: Your business is now just as weak and vulnerable. one that defines it not as an option but, rather, as a major business risk that needs to be continually assessed and monitored.
There’s no reason to onboard risk into your environment—there’s no product or service worth it. Instead of accepting the criteria of an ill-equipped third party, raise them up with you to a higher standard. Implement a vendor risk management process that can safeguard your business and data. At the end of the day, your company’s reputation—and perhaps its very survival—rides on it.