Third-party vendors are the weak links in cybersecurity

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

(Editor’s note: No busi­ness net­work is too small for cyber crim­i­nals to breach, then fig­ure out how to lever­age. In this guest essay, Matt Cul­li­na, CEO of IDT911, which spon­sors Third­Cer­tain­ty, dis­cuss­es the wider implications.)

By Matt Cul­li­na, Spe­cial to ThirdCertainty

The old adage says you are what you eat, and when it comes to ven­dor secu­ri­ty you are your ven­dor. Any seri­ous breach of a third-par­ty vendor’s sys­tem is effec­tive­ly a breach of your own, which is an agreed risk under­tak­en once you begin the out­sourc­ing process.

As recent head­lines have shown, even a small third-par­ty breach can cause seri­ous rep­u­ta­tion­al and finan­cial dam­age. Com­pa­nies are con­sis­tent­ly out­sourc­ing and are com­mit­ting more and more resources to the cloud, to pay­roll ser­vices, and to oth­er ven­dors to stream­line their busi­ness­es. In this new busi­ness cli­mate, is it actu­al­ly pos­si­ble to tru­ly cov­er your assets?

Matt Cullina IDT911 CEO
Matt Cul­li­na

In order to answer this ques­tion, it is impor­tant to con­sid­er the nature and promi­nence of third-par­ty breach­es, as well as the caus­es and reper­cus­sions for the ven­dor and busi­ness. Although orga­ni­za­tions know they should take their own cyber­se­cu­ri­ty seri­ous­ly, they often over­look the cyber­se­cu­ri­ty of third par­ties. The con­ve­nience, cost-effec­tive­ness and flex­i­bil­i­ty of out­sourc­ing to third-par­ties comes with sig­nif­i­cant risks, mean­ing busi­ness­es and pro­fes­sion­als must imple­ment effec­tive and encom­pass­ing com­pli­ance mea­sures to safe­guard both their own, and their cus­tomers’ data.

Free IDT911 white paper: Breach, Pri­va­cy, And Cyber Cov­er­ages: Fact And Fiction

An often over­looked, but inte­gral ele­ment of that process is third-par­ty risk man­age­ment. A company’s cyber­se­cu­ri­ty is only ever as pre­ven­ta­tive as the cyber­se­cu­ri­ty of its third-par­ty ven­dors. This can be equal­ly prob­lem­at­ic from an image per­spec­tive, as the per­cep­tion of cus­tomers can mean every­thing to a business’s bot­tom line. If sys­tems are breached, and data is put at risk, cus­tomers tend not to care whether the inci­dent is the fault of the insti­tu­tion itself, or a third-par­ty ven­dor. Rep­u­ta­tion­al and finan­cial dam­age ensues regard­less and, ulti­mate­ly, will impact rev­enue and profitability.

As com­pa­nies of all sizes have become increas­ing­ly con­scious of the exten­sive risks posed by cyber­se­cu­ri­ty breach­es, they have begun to form com­pre­hen­sive strate­gies and devote the nec­es­sary resources to iden­ti­fy, man­age and elim­i­nate inter­nal vul­ner­a­bil­i­ties. In doing so, these busi­ness­es are attempt­ing to mit­i­gate their expo­sure to poten­tial cyber­se­cu­ri­ty incidents.

Mul­ti­pronged approach works best

Such busi­ness­es have found that they must address cyber­se­cu­ri­ty risk man­age­ment from mul­ti­ple angles. This includes invest­ing in robust IT secu­ri­ty sys­tems, con­duct­ing employ­ee train­ing, con­sid­er­ing the pur­chase of cyber­se­cu­ri­ty-relat­ed insur­ance poli­cies, devel­op­ing a data breach response plan, and so forth.

An obvi­ous point, but one that often is over­looked, is the effec­tive “vet­ting” of poten­tial third-par­ty orga­ni­za­tions. This could fall under a full review or pre­sen­ta­tion process, or even be as sim­ple as pay­ing them a vis­it and ask­ing for a tour of their offices and a full expla­na­tion of their oper­a­tions. In effect, this is a kind of face-to-face audit, and will com­ple­ment all writ­ten doc­u­men­ta­tion and autho­riza­tion you receive.

As far as addi­tion­al com­pli­ance goes, the first process to put in place is that of ensur­ing that your busi­ness has a com­plete overview of exact­ly who has access to data, and which data is vis­i­ble. These days most, if not all, orga­ni­za­tions pro­vide some kind of data or sys­tems access to at least some third-par­ty ven­dors, with such ven­dors includ­ing law firms, con­sul­tants, data stor­age providers, accoun­tants or even the man­ag­er of an office building.

Get it in writing

Sim­i­lar­ly, a well-designed con­tract is key, both for the rela­tion­ship with third-par­ty ven­dors, and in case of fur­ther lit­i­ga­tion or legal issues fur­ther down the line. If it already has not done so, your orga­ni­za­tion should review exist­ing ven­dor con­tracts with an eye toward mit­i­gat­ing cyber­se­cu­ri­ty risk. With­in the con­tract, busi­ness­es are enti­tled to con­sid­er extend­ing their own secu­ri­ty stan­dards to ven­dors, or to con­sid­er pro­vi­sions requir­ing ven­dors to com­ply with spec­i­fied secu­ri­ty procedures.

Once a con­tract has been agreed upon, it is impor­tant to estab­lish and devel­op guide­lines for future agree­ments. Such guide­lines should include stan­dard pro­vi­sions such as those described above, as well as an out­line of the ben­e­fits of out­sourc­ing mea­sured against the asso­ci­at­ed risks.

Com­mu­ni­ca­tion is key

From an inter­nal point of view, it also is impor­tant to ensure all teams with­in a busi­ness are work­ing togeth­er effec­tive­ly, as well as main­tain­ing reg­u­lar con­tact, with third-par­ty ven­dors. For exam­ple, IT needs to work close­ly with pro­cure­ment with all func­tions that man­age third par­ties to ensure that any per­ceived threats are unable to access crit­i­cal cor­po­rate infor­ma­tion assets.

The prin­ci­pal objec­tive of all the above com­pli­ance is to pre­vent any cyber breach, as well as to lim­it the poten­tial dam­age of any such inci­dents. The prepa­ra­tion and robust­ness of an organization’s pro­ce­dures and prac­tices with regard to third-par­ty ven­dors will lim­it its lia­bil­i­ty in any sub­se­quent lit­i­ga­tion. To this end, reg­u­la­tors already have begun to place increased scruti­ny on third-par­ty rela­tion­ships with spe­cif­ic regards to cyber­se­cu­ri­ty, and this looks set to con­tin­ue. As the cyber threat increas­es, so, too, must the pro­tec­tion mea­sures under­tak­en by companies.

More on emerg­ing best practices
3 steps for fig­ur­ing out if your busi­ness is secure
5 steps to secure cryp­tog­ra­phy keys, dig­i­tal certificates
6 steps for stop­ping hacks via a con­trac­tor or supplier

Posted in Cybersecurity, Guest Essays