There are myriad security risks in giving third-party vendors access to your network and data. If a third party gets hacked, your company can lose vital business data, and confidential employee information can be compromised. If it’s a serious hack, the consequences for your company can range from white-hot media attention to a damaged reputation, lawsuit hell, higher insurance costs, extensive financial loss and even bankruptcy.
Some of the most devastating breaches in the past few years have been rooted in the security weaknesses of third parties, and in fact, hackers themselves admit that contractors are often their primary target. Case in point: the massive Target breach in 2013, which exposed about 40 million debit and credit card accounts. The initial intrusion into Target’s systems was traced back to network credentials stolen from a third-party HVAC vendor.
In a recent study it was shown that 63 percent of data breaches were linked to a third-party vendor that was responsible for system support, development, and/or maintenance. In some cases, the victimized companies did not even know that a third party handled certain security functions.
Although it may be impossible to eliminate third-party security risks altogether, you can do a better job of containing them through prudent planning, regardless of your company’s size or IT budget. With that in mind, here are four important steps a company can take to reduce the risk of data breach when it comes to working with third parties:
Step 1: Start with Internal Safeguards and Multiple Layers of Protection
The best way to protect your organization from security threats resulting from work with other vendors is to start from within. Begin by enacting a multi-layered defense strategy that covers your entire enterprise, all endpoints, all mobile devices, all applications and all data.
Those layers should include encryption, and two- or even three-factor authentication for all network and data access requests from third parties. In the case of security, more is generally better, as in more controls and protocols. Of course, the extra layers of security won’t function very well unless your IT department is fanatically detailed about doing software updates and patch management in a timely fashion across the network.
Also, establish a comprehensive data security policy for your employees to follow, and never stop educating them about best practices. Take steps to make sure they comply by implementing data classification, access rights and limitations, auditing and more. Above all, counsel them against releasing any security credentials to unauthorized parties. Research shows that credentials are the top threat vector for third-party hacks.
Step 2: Raise a Red Flag About the Power of Prevention
“An ounce of prevention is worth a pound of cure” is how the old saying goes and it’s an important reminder for avoiding vendor-related security threats. Raising a red flag in your organization and your customers’ and vendors’ organizations about prevention is essential. Don’t pass up on the opportunity to educate not only across the enterprise, but also in the upward direction: your board, CEO, CFO, CMO and others in command need to know that prevention is the best policy. Many top executives don’t want to throw time, money and resources at initiatives they don’t see as urgent, but when a breach happens, they’ll do anything to put an end to it, and often the organization simply can’t recoup some of its losses. Much more money is frequently spent on fixing breaches than on putting preventative practices in place. IT leaders need to continually reinforce the idea that the threat is real as they communicate with company executives.
Step 3: Perform a Third-Party Vendor Assessment
The biggest third-party hacks in recent years have been the result of organizations giving their business partners access to sensitive information and systems, access to the network, responsibility for managing systems, and responsibility to host data and applications. The reality is that even your most trusted business partners can pose a security threat if they don’t have best practices in place.
Some third-party vendors only need access to your network, while others need access to specific data. Your third-party assessment should start by focusing on access: implement a “least privilege” policy covering who can access your data and network, and specifically what they can access. Regularly review the use of credentials with your third parties and understand who is using them within the partner organization. And limit temporary access, as it potentially opens the door to increased vulnerability.
When you engage the services of a third-party vendor, no matter how much you trust them or how long you’ve worked with them, it is essential to continuously assess the vendor’s security standards and best practices to determine if they meet those of your organization. Have them take part in thorough information security assessments at regular intervals, and ensure that all contracts contain clauses detailing their obligations for their own employee background checks as well as for engaging in employee data security training and robust security controls. Also, require them to perform up-to-date patching and vulnerability protection (email, Web), and make sure you put an auditing or verification program in place to confirm that their contractual obligations are being followed to the letter.
Step 4: Take It a Step Further with a Service-Level Agreement
Creating a service-level agreement (SLA) with a third-party company can be an effective way – at least on paper – to take your vendor threat strategy a step further. Basically, your SLA should mandate that the third party complies with your company’s security policies. It is vitally important that each SLA gives your company the right to audit the vendor’s compliance with your security policies. Key elements of an SLA should cover: information security, information privacy, threat and risk analysis, network and data access, disclosure and breach reporting requirements – and, of course, auditing/verification of compliance. As part of these requirements, make sure they are following NIST guidelines as well as SANS Critical Security Controls.
The risk of data breaches caused by third-party vendors is just far too great to ignore today. While the list above is only a starting point, the important thing is to get started. You have everything to lose if you don’t take the security vulnerabilities caused by your vendor relationships seriously, and much to gain – including peace of mind – if you begin constructing a comprehensive plan now.