I have seen that most companies spend significant resources on internal security, for example, vulnerability scans, SIEM, centralized log management, or end-user security awareness trainings, and lot many more things. But they also tend to make a cardinal mistake of not extending the same diligence towards their vendors or third-parties.
It is my view that they don't realize the full magnitude of dangers this approach involves. After internal employees, your vendors are the second weakest link of your (security) chain.
If your company chooses not to verify the security of its vendors/third-parties, then it is significantly increasing its own RISK while reducing the security assurance of its own information systems.
It is essential for all security managers to realize that --
"If a data-breach happens at your company and the cause of this breach is found to be at any of your third-parties, it is still your company’s name and brand that is at risk. You are not absolved of your own legal responsibilities. Your company may be penalized for this error."
-
What Damages Can Your Vendors Do To You?
You will know the answer, when you consider the following:
• How much access each vendor individually has to your IT systems?
• How many controls you have established to contain their access?
• How much data is exposed to them? What is the criticality of that data to your company?
So many companies tend to outsource functions such as Accounting, Legal, etc to vendors or third-parties. If any of them gets unfair or unrestricted access to your IT systems, then in this example, you would be releasing highly private and potentially valuable data into unknown IT systems of your vendors, with unknown controls and unknown users. Don't you think it is too much risky by default?
How can you be confident they take these cybersecurity threats as seriously as you do? Or are they even aware of them?
• In a survey by PricewaterhouseCoopers (2018) 63 percent of all cyber-attacks could be traced either directly or indirectly to third parties.
• According to an Opus and Ponemon Institute study (2018), 59% of companies have experienced a data breach due to one of their vendors or third-parties.
• According to a eSentire survey (2019), nearly half of all organizations that experienced a data breach was caused by a third-party vendor.
• In fact, the enormous magnitude of recent Solarwind Hack (2020/21), is the inspiration behind writing this post.
Some of your vendors may include cloud service providers, payment processing providers, or supply chain partners, and others; all of them must be considered for third-party security risk management.
-
What Should You Do?
Your company must develop a more robust stance on vendor management. If you are ready to build a truly effective and mature 'Vendor Management Program' then you must be willing to dedicate the time and resources also to do it right.
It will require you to develop the followings:
1. A Vendor Management Policy
It should cover the objectives behind assessing the security at vendors, staff responsibilities, communication & reporting channels, and other core components of the overarching program.
2. Procedures (SOPs)
Along with the policy, your organization will need several defined procedures to implement and manage the vendor management program effectively. These procedures can include:
• Assessment outlines/workflows
• Documentation management
• Evidence requirements, etc
3. A Ranking System
The idea is very simple here. You would want to categorize your vendors based on their security readiness. Though there are many parameters to develop a reasonable ranking system, you are still advised to look at the following factors seriously while devising this ranking system:
• Sensitivity of data they receive
• Volume of data they receive
• Importance of service they provide
4. Escalation Point
This is very important to assign some high or senior management personnel of your company who MUST be urgently notified using official channels, if any vendors is found lacking something serious in your security assessment of them. Experience has shown that most vendors will not take anybody else seriously other than a high/ Senior management person. And he or she should be capable of taking decision in her full capacity. However, you still may need to assign some staff-members for routine vendors' assessment and other liaisoning, w.r.t., Information Security.
5. Review of SLAs with Vendors
It is an understatement to say that your company must embed all important information security requirements into 'Service Level Agreements (SLAs) to make all vendors obliged to meet your security needs from them.
--------------------
IMPORTANT:
All these security requirements of your company should be monitored by the specific teams or your employees that work with these vendors regularly. The staff using the system or working with the vendor will be in the best place to notice abnormalities or contractual failings on the part of vendors.
--------------------
6. Vendor Cyber Risk Assessments
A third-party cyber risk assessment works by providing an in-depth review of your vendors’ network security. The assessment is an evaluation and approval process that organizations use to determine if prospective vendors and suppliers can meet laid down standards and procedures once under contract.
The assessment helps your organization understand the level of risk associated with using a certain third or fourth-party vendor’s product or service.
-
Vendor management is a complex and time-intensive task which many organizations do not, and in many cases, cannot dedicate the time and resources to managing. For companies with a small number of vendors, this can be manageable, but most organizations will need additional support to create and implement these programs effectively. By dedicating resources to developing a program, your organization can begin to understand and eliminate the threats posed by your vendors/ third-parties.
REMEMBER:
It is extremely important to keep track of the your ever-expanding vendor ecosystem, because digitization has fueled a massive increase in the number of suppliers for the average business.
Your vendors often have access to your company’s networks or supply it with software solutions or applications. A weakness in your vendor’s network or software – or even in the network of a fourth-party vendor – can open the door for cyber criminals. This means that a cyber event can originate several steps away from your company’s primary supply chain and still result in severe consequences to your company.
-
Please let me know of what do you think about this in the comment section. You can also share with all if the information shared here helps you in some manner.
Kindly write your comment on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM