Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
Cybersecurity News

4 Steps to Mitigating Third-Party Vendor Cybersecurity Threats

By Sanjay Katkar
phishing
March 22, 2016

There are myriad security risks in giving third-party vendors access to your network and data. If a third party gets hacked, your company can lose vital business data, and confidential employee information can be compromised. If it’s a serious hack, the consequences for your company can range from white-hot media attention to a damaged reputation, lawsuit hell, higher insurance costs, extensive financial loss and even bankruptcy.

Some of the most devastating breaches in the past few years have been rooted in the security weaknesses of third parties, and in fact, hackers themselves admit that contractors are often their primary target. Case in point: the massive Target breach in 2013, which exposed about 40 million debit and credit card accounts. The initial intrusion into Target’s systems was traced back to network credentials stolen from a third-party HVAC vendor.

In a recent study it was shown that 63 percent of data breaches were linked to a third-party vendor that was responsible for system support, development, and/or maintenance. In some cases, the victimized companies did not even know that a third party handled certain security functions.

Although it may be impossible to eliminate third-party security risks altogether, you can do a better job of containing them through prudent planning, regardless of your company’s size or IT budget. With that in mind, here are four important steps a company can take to reduce the risk of data breach when it comes to working with third parties:

 

Step 1: Start with Internal Safeguards and Multiple Layers of Protection

The best way to protect your organization from security threats resulting from work with other vendors is to start from within. Begin by enacting a multi-layered defense strategy that covers your entire enterprise, all endpoints, all mobile devices, all applications and all data.

Those layers should include encryption, and two- or even three-factor authentication for all network and data access requests from third parties. In the case of security, more is generally better, as in more controls and protocols. Of course, the extra layers of security won’t function very well unless your IT department is fanatically detailed about doing software updates and patch management in a timely fashion across the network. 

Also, establish a comprehensive data security policy for your employees to follow, and never stop educating them about best practices. Take steps to make sure they comply by implementing data classification, access rights and limitations, auditing and more. Above all, counsel them against releasing any security credentials to unauthorized parties. Research shows that credentials are the top threat vector for third-party hacks.

Step 2: Raise a Red Flag About the Power of Prevention

“An ounce of prevention is worth a pound of cure” is how the old saying goes and it’s an important reminder for avoiding vendor-related security threats. Raising a red flag in your organization and your customers’ and vendors’ organizations about prevention is essential. Don’t pass up on the opportunity to educate not only across the enterprise, but also in the upward direction: your board, CEO, CFO, CMO and others in command need to know that prevention is the best policy. Many top executives don’t want to throw time, money and resources at initiatives they don’t see as urgent, but when a breach happens, they’ll do anything to put an end to it, and often the organization simply can’t recoup some of its losses. Much more money is frequently spent on fixing breaches than on putting preventative practices in place. IT leaders need to continually reinforce the idea that the threat is real as they communicate with company executives.

Step 3: Perform a Third-Party Vendor Assessment

The biggest third-party hacks in recent years have been the result of organizations giving their business partners access to sensitive information and systems, access to the network, responsibility for managing systems, and responsibility to host data and applications. The reality is that even your most trusted business partners can pose a security threat if they don’t have best practices in place.

Some third-party vendors only need access to your network, while others need access to specific data. Your third-party assessment should start by focusing on access: implement a “least privilege” policy covering who can access your data and network, and specifically what they can access. Regularly review the use of credentials with your third parties and understand who is using them within the partner organization. And limit temporary access, as it potentially opens the door to increased vulnerability.

When you engage the services of a third-party vendor, no matter how much you trust them or how long you’ve worked with them, it is essential to continuously assess the vendor’s security standards and best practices to determine if they meet those of your organization. Have them take part in thorough information security assessments at regular intervals, and ensure that all contracts contain clauses detailing their obligations for their own employee background checks as well as for engaging in employee data security training and robust security controls. Also, require them to perform up-to-date patching and vulnerability protection (email, Web), and make sure you put an auditing or verification program in place to confirm that their contractual obligations are being followed to the letter.

Step 4: Take It a Step Further with a Service-Level Agreement

Creating a service-level agreement (SLA) with a third-party company can be an effective way – at least on paper – to take your vendor threat strategy a step further. Basically, your SLA should mandate that the third party complies with your company’s security policies. It is vitally important that each SLA gives your company the right to audit the vendor’s compliance with your security policies. Key elements of an SLA should cover: information security, information privacy, threat and risk analysis, network and data access, disclosure and breach reporting requirements – and, of course, auditing/verification of compliance. As part of these requirements, make sure they are following NIST guidelines as well as SANS Critical Security Controls.

The risk of data breaches caused by third-party vendors is just far too great to ignore today. While the list above is only a starting point, the important thing is to get started. You have everything to lose if you don’t take the security vulnerabilities caused by your vendor relationships seriously, and much to gain – including peace of mind – if you begin constructing a comprehensive plan now.

KEYWORDS: contractor security cybersecurity management data breach network security

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Sanjay Katkar is the Co-Founder and Chief Technical Officer of Quick Heal Technologies, a leading global provider of IT security solutions. He holds bachelor’s and master’s degrees in computer science from University of Pune, India. Katkar, who has been associated with Quick Heal since its incorporation, has spearheaded the development of the company’s enterprise software, technology and services. Quick Heal’s Seqrite data security product line is specifically targeted at small to midsize enterprises and is sold in North America exclusively through channel partners.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Enterprise Services
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Logical Security
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Coding on screen

Research reveals mass scanning and exploitation campaigns

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Ransomware, Cybersecurity

    The Ransomware Dilemma: Is Paying Up a Good Idea?

    See More
  • business software vendor

    3 steps for CISOs to ensure third-party vendor security

    See More
  • Cybersecurity hand graphic

    13% of businesses continuously monitor third-party vendor security risks

    See More

Related Products

See More Products
  • databasehacker

    The Database Hacker's Handboo

See More Products

Events

View AllSubmit An Event
  • March 6, 2025

    Why Mobile Device Response is Key to Managing Data Risk

    ON DEMAND: Most organizations and their associating operations have the response and investigation of computers, cloud resources, and other endpoint technologies under lock and key. 
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing