It seems like a broken record to say that our traditional cybersecurity systems aren’t good enough to tackle today’s threats, but this is especially true when it comes to security involving third-party vendors. As UpGuard reported, the tendency is to treat third parties and risk “as an ‘add-on’ to otherwise siloed security activities.” That’s an approach that hasn’t worked in years, as the Target breach showed us, but it is especially ineffective today as third-party vendors also are asked to keep up with internal, external and regulatory requirements of the companies they work with across a wide range of industries.
Understanding the risks that third-party vendors bring to your network and how to best manage security solutions unfortunately isn’t a one-size-fits-all option. Business relationship, regulatory forces, and specific levels of access and types of assets drive these risk discussions, according to Will Durkee, director of Security Solutions for TSC Advantage, an enterprise risk and cybersecurity consulting firm. Yet, there are steps that every company should take when working with third parties, he said:
- Assess the criticality of dependency on vendors, third parties, and business partners. Which are critical to your ability to do business and how much access do they have to your network and assets?
- Understand the specific risk/regulatory scenarios that might arise (GDPR, HIPAA, NY-DFS) specific to your sector.
- Do a baseline assessment on critical third parties and identify outliers whose security controls don’t meet your own organization’s standards.
- Decide whether to accept, mitigate or transfer discovered risks.
- Translate those decisions into contractual agreements with third parties.
- Follow up to ensure mitigation measures are being implemented.
GDPR and California Consumer Privacy Act
Durkee’s initial steps are just the start to creating a more secure work relationship with your vendors. As many in the security world are quick to point out, you can’t create a secure working environment without considering GDPR. And now you have to also consider the new California Consumer Privacy Act (CCPA).
For addressing regulatory matters such as GDPR, California Privacy, and similar matters, Tom Garrubba, CISO and senior director with Shared Assessments, explained, companies are encouraging (if not requiring) their organizations to partner together to address the market challenges; that is, you're seeing much closer relationships with the business units and their second line of defense support (e.g., procurement, legal, IT security, etc.).
“Overall, they're working collectively to review, identify, and close gaps in current processes and ensure all critical and relevant documentation (policies, procedures, standards) is accurate for review by regulators, auditors, and client assessors,” he said.
In the age of GDPR, George Gerchow, CSO with Sumo Logic, added, “organizations must also make active efforts to show they are taking security and a wide variety of regulations seriously.”
Organizations can implement three crucial steps to show they aren’t just talking the talk but also walking the walk, Gerchow added. This includes establishing a privacy program, hiring a Data Protection Officer and seeking third-party regulatory validation. “This communicates that not only are you serious about your organization’s security and privacy, but that you’ve appointed someone to lead the efforts moving forward and are also seeking outside, expert validation -- which is becoming increasingly necessary to provide to customers and partners concerned about their own third-party data,” he said.
Third Parties and Ransomware
With privacy laws and meeting those compliances at the forefront recently, it is easy to overlook the other risks that third parties open up. That’s why Atlantic.Net, a web hosting solution, for instance, is keeping a close eye on third parties and ransomware. Thanks to the spread of cryptocurriences, ransomware attacks are growing in intensity across industries, and an attack on one of your vendors can result in a lockdown of your system.
“On many occasions, these attacks succeed because users haven’t been properly trained to recognize (and avoid) suspicious links or email attachments,” said Adnan Raja, vice president of Marketing for Atlantic.Net. “Proper email security training, as well as establishing better rules for email attachments and which users are allowed to run executable files and install software can go a long way toward bolstering defenses against a cyberattack.”
Shutting the Back Door
All the security precautions in the in world mean nothing if your organization leaves the back door open.
“Too many organizations are vulnerable to hackers through their third-party vendors, which is becoming one of the most commonly overlooked components of operational security,” said Mike Baker, founder and managing partner at Mosaic451, a managed cyber security service provider. “An organization’s cyber security is often only as good as the security of its vendors and the proof is being witnessed with alarming frequency.”
If criminals are able to gain access using legitimate credentials acquired through third-party vendors, it doesn’t matter how robust your cybersecurity system is. The criminals are compromising you through the open back door.
One way to assess that risk is to create assessment and evaluation criteria that would ensure all vendors have adequate cybersecurity within their own enterprise. Third parties should be held to the same standards of vulnerability and penetration testing as you hold your own organization, for example.
“Whether it is robust security software, up to date firewalls, or personnel training on security and data protection best practices,” added Baker, “ensuring that all third-party vendors have the same robust standards of cybersecurity as your business is critical to minimize risk.”
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba