Hardly a week goes by without hearing about yet another company’s data being compromised after hackers gained access to it through a third-party vendor. Each incident highlights that it’s no longer enough for companies to focus solely on their in-house cyber security defences. Companies now also need to ensure that their third-party vendors’ cyber security standards meet or exceed their own.
As companies adopt new technologies in short timeframes, they are increasingly turning to outsourcing resulting in third-party providers having access to sensitive data more than ever before. Moreover, with the Notifiable Data Breach (NDB) scheme and the EU’s General Data Protection Regulation (GDPR) being in effect, heightened public awareness of cyber threats and rapid evolution of new types of threats, the risks associated with third-party attacks have never been higher.
Added to that, service providers are now firmly in the cyber-criminal’s crosshairs. Often having privileged access to multiple customer environments and inherently trusted to store and protect confidential information, cybercriminals view service providers as treasure troves. The Trustwave 2018 Global Security Report (GSR) found a marked increase of 9.5% in compromises targeting businesses that provide IT services. In comparison, service provider compromises did not even register in the 2016 GSR statistics.
Today, companies need to approach third-party cyber security differently than they have in the past. Companies need to see third-party security as a business risk that needs to be continually assessed and monitored.
Identify and assess risk
Third-party providers should be included in a company’s risk assessments along with their other systems. In many of the cases Trustwave investigated over the past year, client data was compromised via third-party remote access tools. In many of these cases, the third-party provider had unfettered access to all client systems. A breach of the provider resulted in breaches of all their clients. You need to review the level of access needed by third parties and adhere to the principle of least privilege.
Identifying and assessing the impact of a potential security breach of each service provider is critical to mitigating these security risks. Identify and list each provider no matter how minor the current relationship. The most significant relationship may not be the biggest risk. Critically, you need to know where your data is and which provider has access to what data. Rate each vendor – high, medium or low – based on the impact a breach may have on your company.
Gauging third-party security
Starting with the provider with the highest risk rating, evaluate each provider’s cyber security capabilities. Compliance with relevant standards is a good starting point. Keep in mind that if you are required to maintain compliance with any standard, your third-party providers should also be meeting that standard. There is nothing wrong with requesting copies of their compliance certifications. Companies can follow up by requiring these service providers to complete an in-depth questionnaire about their security practices.
Finally, an independent third-party assessment in the form of an annual compliance audit or penetration testing could then follow to provide the company with the requisite assurance. The assessment needs to be done annually with further evaluations being done when any significant change to the provider’s environment takes place.
Cyber Security SLAs
Establishing a Service Level Agreement (SLA) with your provider makes your cyber security expectations clear including mandatory cyber security controls that comply, at the very least, with regulatory and industry standards.
The SLA should include provisions for the right to audit or conduct a security assessment of the service provider’s cyber security practices and compliance initially agreed to in the contract. Further, the SLA should also include what the provider would be held accountable for and the applicable penalties for non-compliance with the agreed provisions.
Third-party providers are core to many companies, but they can also be the weakest link in a company’s cyber security defence. To mitigate third-party cyber security risks, companies, more than ever, need to understand the nature of these risks, develop a security plan around it and collaborate with their third-party providers to remediate and mitigate against such risks as they arise.
Trustwave 2018 Global Security Report link: