An often overlooked aspect of securing your business is how you deal with third party vendors. As part of your business you may need to share information, software or access to your computer network with other businesses and this creates a potential security risk. Any information that you share with a third party vendor is still your responsibility. If they have a data breach, you have a data breach and you will be responsible for notifying your customers and regulators, the same as if your company was the one that was hacked. Also, hackers can use the connections between different companies as a means to pivot from one company to another. A recent example of this is the solarwinds incident. Solarwinds is a software company and once hackers were able to compromise solarwinds they put malware into their latest software update and sent it to all of their clients. Once the clients installed the new software update they were infected with that same malware.
Another example of this is using business email compromise (BEC). If one of your third party vendors gets hacked, the hacker can send you an email with malware that is disguised as a regular email attachment. Since you are already accustomed to getting emails from this company, most likely you will open the email and download the attachment without being suspicious. This is just a couple of examples of how third parties can add risk to your business, which is why you want to do what you can to make sure you’re protected from that risk of doing business. First, here are the three main categories of risks that come with using third party services:
Network Security: If another company has access to your network in an insecure way this can lead to your company getting hacked, which is typically very expensive to recover from. On average share prices drop 7% following a cyberattack and cost over $3 million on average.
Regulatory: This is where a third party vendor that has your company’s information is not compliant with one or more of the regulations that affects your company. You are ultimately responsible for ensuring that any third party that you share information with is being handled in compliance with the applicable regulations. Not being compliant may result in fines or require you to suspend your business operations if it’s a serious offence.
Operational: This would be any disruption to your company’s operations where you’re unable to provide products or services to your customers. A common example of this would be if you’re using a cloud provider. If the server that’s hosting your website goes down unexpectedly that means your customers will not be able to access your website and that will cost you business. If your company has a business model like Netflix that requires high uptime then this can be catastrophic to your business.
How you can mitigate your third-party risks
Identify all your third-party vendors and their contact information: You should keep a record of every vendor your company uses including their contact information, terms of service and other relevant information.
SLA: In your service level agreement you should outline exactly what services you should be provided with. For example it should guarantee a certain amount of uptime and in the event that this service is not delivered it should outline what corrective action will be taken and any compensation that should be provided if they can’t recover in a timely manner. You should have it in writing that your company should be notified in the event of a data breach and provide a dedicated mailbox for them to send the notification to.
Use Industry Standard vendor assessments: You can use assessment program’s from established vendors like Microsoft or Adobe for assessing your vendor’s risk level. These outline the security controls they assess for in every third-party vendor that stores or processes their company data. Here are some common examples of what you want to check for, provided by security boulevard:
Assertion of Security Practices: Review of security certification attestation reports (SOC 2 Type II, ISO 27001) and internal security policies and standards
User authentication: Password policies, access control processes, and support of multi-factor authentication
Logging and audit: Details about system/app/network logs and retention periods
Data Center Security: Physical security controls in locations where company data is hosted
Vulnerability and Patch Management: Cadence of external/internal vulnerability assessments and pen tests as well as timelines for vulnerability remediations
End-point protection: Policies that cover end-point security
Data Encryption: Encryption of data in rest and transit
There are also vendor neutral industry standards that you can use to in assessing your vendor’s risk management, here are some of the popular ones:
– SOC 2
– ISO 27001
-Consensus Assessment Initiative Questionnaire
-NIST Risk Management Framework 2.0
-NIST 800-171
-VSA Questionnaire
– CIS Critical Security Controls
Give as little information as possible: You want to make sure you only give information that is absolutely necessary for the vendor to do their job. You should be able to give a business reason for every piece of information you give to your vendors. Additionally, if possible you should break the information up so that it can’t be used to identify an individual. For example something like a social security number by itself isn’t very useful, but if you have a person’s first name and last name along with the social security number then it becomes much more useful for fraud. So wherever possible break up the information so that it can’t be used to harm anyone. This process is called data anonymization and it’s the process of protecting private and sensitive information by erasing or encrypting identifiers that connect an individual to stored data.
Monitor the news for your vendors: As mentioned earlier if your vendors suffer a data breach you are ultimately responsible as the owner of that information. Therefore, it’s important that you keep tabs on your vendors to see if they are affected by any data breaches so that you can be on time with your notification requirements and take all of the required steps to protect your consumer’s information.
Get involved if a data breach occurs: If your vendor does suffer a data breach you have two main objectives. Firstly, you want to know if this directly affects the security of your company. For example if they have a malware outbreak and they have access to your company’s network, you need to consider if it may have spread to your company as well. Also, if someone’s email account was hacked within that vendor then you need to see if they sent any phishing emails to your company because if someone clicked on the link or downloaded any attachment, your company may be affected. Secondly, you should get a statement from the vendor confirming if any of your company’s information was leaked. This statement is important for proving you did your due diligence of investigating the incident.
Have good onboarding and offboarding processes: You want to have a standard onboarding process for new vendors. During onboarding you want to make sure they understand your information security standards/policies, any compliance requirements that you have and have agreed to adhere to those standards. Once your business relationship has ended it’s important that you off-board your vendors, this means having them delete all of your company’s information from their systems and getting written confirmation that they have done so.
Use Security Ratings: You can use security ratings to monitor how secure your vendors and their vendors are in real time. Tools such as Bitsight use open source intelligence to evaluate your vendors. They can monitor several vendors at a time and can save you a lot of time from having to do that research yourself. They can also be set up to alert you if you’re vendor’s are mentioned in the news for having a data breach. However, most of these tools are not free and can be quite expensive.