Did you know that 63% of all data breaches are directly or indirectly linked to third party companies? This is according to a recent survey conducted by Soha Systems, and according to one of the speeches delivered by the Superintendent of the New York State Department of Financial Services, Mr. Benjamin Lawsky, “A company’s cybersecurity is only as strong as the cybersecurity of its third-party vendors”. This article will focus on some strategies that organizations should consider implementing in order to mitigate their cybersecurity risk as far as third-party service providers are concerned. Let us get started with how third-party data breach occurs.
How Third Party Data Breach Takes Place
If a hacker is targeting a large organization, they look for the gateway that will not be easily noticed. This means that instead of going through the target’s heightened security, they look to use a valid entry point to gather confidential data while also masking themselves as genuine users. This entry point is usually through the third party vendor whose security protocols are less secure.
The attacker will then leverage this access to gain entry into the larger network. If the vendor’s security protocols are less stringent, no one will even detect that any breach has taken place. The hackers are usually patient and may take anywhere from days to months just to get their hands on your information such as bank account information, social security numbers, credit card numbers and so forth.
How To Identify And Assess The Impact Of A Potential 3rd Party Security Breach
It is crucial for businesses to employ a risk-based approach to manage their third-party vendors. Failure to assess your risks means that you will not be able to properly manage them and your company will be susceptible to cyber threats. When going through the risk assessment process, you must keep in mind that many risk classifications can affect your company:
- Reputational risk – has to do with the problems that stem up from negative public opinion
- Transactional risk – has to do with the problems that stem up from product or service delivery.
- Operational risk – has to do with the losses brought about by failed or inadequate systems, people, internal processes or even from external events
- Strategic risk – has to do with the failure to execute proper business decisions in a way that matches the company’s strategic objectives.
- Compliance risks – this means failure to comply with the regulations, procedures, internal policies, rules, laws or business standards.
The following are the basic steps of a risk assessment
Describe the system application, function, process to determine possible threats:
- Who’s the vendor?
- What data do they use?
- Where does the information go?
- Who uses the system etc.
- Identify the threat e.g.: disruption of productivity or service, loss of data, unintentional exposure of information (data leakage), misuse of privilege /information by a user, accidental or malicious unauthorized access of information etc.
- Determine the degree of impact were the threat to be exercised e.g. low, medium or high
- Look at the different categories of information to adequately analyze the control environment. In this step, check out the threat, compensation controls, detection, mitigation and prevention and how they are related to the threats you identified. For example, you may analyze the environmental security controls, protection controls and management controls as inadequate, needing to be improved.
- Determine a likelihood rating of the given exploit bearing in mind the control environment that your business already has. If your likelihood rating is ‘high’, then it means that the threat source you identified is adequately capable, extremely motivated and that the controls in place to prevent the susceptibility from being exercised are in vain. However, if the rating is ‘low’, then the reverse is also true.
Managing Third Party Company Risks
Your organization may be doing everything possible to ensure that their in-house cyber defenses are at full strength, but you must also ensure that your vendors’ cybersecurity standards meet or exceed those of your organization.
The first step, therefore, is to gauge all vendors beginning with the one with the highest risk rating because at this point you already know the vendors you consider the highest and lowest risk. Below are some of the few methods you can use to assess:
- Compliance with relevant standards: This is probably the best point to begin from. If you as an organization are expected to comply with certain standards, then there is no excuse why your vendor cannot meet such standards too. You can ask them to present you with copies of their compliance certificates to ascertain that they indeed meet those standards. Additionally, ask them to provide proof that their security protocols are effective e.g. compliance reports, synopsis of vulnerability, SOC1 and SOC2 reports etc. You will also need evidence of security protocols through contract and documentation such as financial statements, proof of insurance, list of recent breaches, disaster recovery test results, business continuity program, and information security policies among others.
- Have an inspector do an on-site visit: Send a representative from your company, preferably someone who is conversant with matters to do with cybersecurity to do some site-seeing or conduct interviews with the vendors to understand their level of cybersecurity better.
- Use of questionnaires: Let them fill in-depth questionnaires that focus on their cybersecurity practices that are specific to their own organization.
- Another option is the use of an independent third party assessment: This is usually a form of yearly pen-testing or compliance audit that helps give your company the necessary assurance. This is an annual form of assessment but some few evaluations may be conducted whenever there is any modification that is noteworthy to the third party company’s working and business environment.
- Use of continuous monitoring software: The traditional vendor risk management strategies that have been discussed above do have some advantages of their own and you should never write them off. Yes, they’ll help you gauge your vendor’s risks to a certain level but they still fall short to some point. For instance, these traditional methods only assess the security of the vendor only at the time the tests are being run. This is where the use of ongoing monitoring software comes in handy because as the term ‘continuous’ suggests, the assessment goes on at all times. Such tools alert you the moment your third-party company’s network is altered even slightly. This offers you the highest level of protection.
- Have a plan B if A fails: If a vendor fails to meet the required security standards or fails to provide your company with the contracted services, you will have no choice but to switch to another supplier especially if the service they are providing you is very critical for your business. This is why you need to know what other good alternatives there are, to provide you with the same level or better quality service.
- Ensure that all contracts between both parties clearly define cybersecurity expectations by establishing an SLA (Service Level Agreement). As an organization, there are some cybersecurity standards you expect from your vendor including the mandatory cybersecurity controls that comply with the industry and regulatory standards. However, if they are not very clear then you are aware that you’ll be significantly increasing vendor risk. This is why the SLA is important because it makes all your cybersecurity expectations with your service provider clear. For starters, it includes a provision giving you the right to conduct a security assessment test or a compliance audit of the vendor’s security practices. It also includes a provision that enables you to consider what you want the service provider to be held accountable for and holds them to breach notification requirements and an industry-specific compliance standard. Finally, the contract can also include what the vendor would be held accountable for if the company does not comply with any of the agreed provisions and the appropriate consequences that would follow.
While almost all business nowadays requires the services from partners and third-party vendors in order for their business to do well and thrive, they could also be inviting a weak link to their cybersecurity defense systems. However to mitigate these cybersecurity risks that are channeled through third-party companies, businesses must, first of all, understand what these risks are before devising a security plan to prevent hackers from stealing and taking advantage of trusted relationships between businesses and clients. The key is for the organizations to work in partnership with their service providers to remedy and prevent against cyber attacks before they even take place. This way, you will be assured of the security of your company data as well as any data that a third party supplier may have to make it easier to conduct business.
by Edgar Vera, MS Cybersecurity