Image by: enzozo, ©2016 Getty Images
When the last person leaves the office at night, the doors are supposed to be locked with the alarm set, but tonight, the alarm is off, and a side door is left propped open by a provider. When no one is looking, an intruder creeps in, filling his bag with corporate electronics full of confidential information. Everything is caught on camera, but no one is there to stop the attack.
This scenario is not that much different than what happens in the cyber world. A vendor makes an error that seems small but is enough to enable a hacker to access the company’s network and systems. Think Target and—most recently— Massachusetts General Hospital. Both fell victim to breaches that were triggered by third-party blunders.
In the case of Target, a vendor was a victim of a low-tech, phishing attack. Clicking one bad link in a corrupt email allowed the hacker to install malware. Because the vendor involved was reportedly using a free version of Malwarebytes with no real-time protection, the hacker had the ability to conceal its permeation of the vendor system. Then, the hacker was able to steal the credentials needed to access the retailer’s online vendor portal. Once in, the hacker installed data-stealing malware on Target’s point of sales system, paving the way for the intruder to capture millions of consumers’ credit card information.
This example shows that vendor information security (IS) poses great risk to businesses and, in worst case scenarios, can cause great damage. Despite this risk, PwC’s “US State of Cybercrime Survey” found that only 62% of organizations evaluate the IS programs of third-party partners. Having a systematic program for assessing the security posture of vendors should be a must for all businesses working with third parties. Below are five steps that will empower you to mitigate third-party IS risk.
1. Conduct proper due diligence during the vendor selection phase.
Many companies rely on evaluating a vendor’s IS program by whether it has certifications, such as SSAE 16 and ISO 27001. This should be a starting point, not an ending point. The baseline standards do not provide full insight into an organization’s IS posture. To gain a more comprehensive view, ask the following questions:
- Do you have an IS policy? You should also ask about physical security policies, as the two are interconnected.
- How do you train employees on your policies? In most incidents, a breach occurs due to human error. Ongoing, comprehensive employee training helps mitigate this risk.
- What security technology do you use? Do not just ask for what technology they use. Ask for versions. Make sure they are utilizing the most current versions and are staying up to date.
- What best practices and processes do you leverage? Ask specifically about whether the vendor utilizes “defense in depth,” an information assurance strategy that leverages multiple layers of security controls and the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
Depending on your business, you could have hundreds and hundreds of vendors to manage, often with limited resources. To maximize resources, group vendors into two tiers. Tier one should be for vendors that pose a greater risk and have access to your network and systems. You should dedicate more time and resources to this group, as it requires more oversight. Tier two vendors do not have access to your systems and network and, thus, pose less risk to your organization.
3. Require vendors to have a business continuity plan in place.
3. Require vendors to have a business continuity plan in place.
If a breach occurs, you do not have time to scramble and build a plan. A sound business continuity plan should include, but should not be limited to, backup operations, a taskforce with designated members with clear responsibilities, a notification hierarchy, a communication plan, and testing. Make sure your vendor regularly evaluates its plan and updates it as needed.
4. Leverage contracts to reflect your risk management objectives.
4. Leverage contracts to reflect your risk management objectives.
Once you have identified which tier a vendor falls in, make sure your contract clearly states what you need and expect from the provider. For instance, if you need a vendor to adhere to technical requirements or if you want an annual IS audit, include it in the contract.
5. Monitor vendors on an ongoing basis.
5. Monitor vendors on an ongoing basis.
Hackers are continuously finding new means of infiltration. As a result, IS programs must evolve constantly. Make sure your vendors are continuing to leverage best practices and technologies and are updating their policies to reflect the current risk environment.
Anthony Dupree is the Chief Information Officer and Chief Information Security Officer of Novitex Enterprise Solutions. Anthony holds certifications from the Information Systems Audit and Control Association and the International Council of Electronic Commerce Consultants. For more information, visit www.novitex.com.