“Home Depot said the crooks initially broke in using credentials stolen from a third-party vendor […] Recall that the Target breach also started with a hacked vendor…” — Brian Krebs, Krebs on Security
In everyday business, a complex set of external relationships is commonplace. Services, infrastructure, and even software live in the cloud, supplied by third-parties. An organization’s value is often in the data it generates, but how secure is that data across your digital supply chain? Do your external vendors and partners adhere to your security standards? How do you know for sure?
They may have filled out a questionnaire and ticked your compliance boxes. But, if a legal or regulatory issue comes up down the line, or there’s a serious data breach, that questionnaire is not going to save you from exposure. Trust your partners, but make sure you verify. There’s no substitute for comprehensive due diligence and you must continue to monitor partners for as long as the relationship lasts.
There’s a lot to consider here, and you have to remember that your third-party vendor isn’t necessarily accountable to your industry regulators in the same way you are. That could lead to some serious legal exposure for your company. Can you answer these questions?
You could have the best security in the world and it could all be rendered worthless, because a hacker or a data thief can bypass it and gain entry through a smaller, less secure, third-party partner. Cyber criminals probe for weaknesses to find the path of least resistance and they’ll jump at any chance to sneak in the backdoor.
It’s not realistic to have a moat around your organization anymore. There are too many business benefits to sharing information and improving accessibility for your employees, but you need to have confidence in the vendors you choose. Trust is earned.
You need a real risk assessment strategy. Hire an outside company to get an unbiased view of your vendors. Engage experts that can identify likely issues, test the checklist claims, help you mitigate the risks, and continue to monitor your partners to ensure standards are maintained.
Decide on your security posture as early as possible, and build the necessary risk assessment into your screening process. It should factor into the decision-making when you are shopping for new partners. Consider your requirements and create a security profile that covers everything including physical security, applications, IT services, malware protection and detection, wireless devices, user policies, and anything else that’s pertinent to your data and project. What’s the plan if and when a data breach does occur? The more you nail down upfront, the better your chances of handling an incident with minimal damage and exposure.
Don’t take it on trust when the vendor ticks all the boxes, have an assessor test them out at random. If you do discover issues then consider presenting a plan for remediation. Your security assessor can help you with practical suggestions and you may find that your vendor is willing and able to take the necessary steps to comply. A good partner will collaborate with you to mitigate any identified risks. It’s much better to find problems at the outset when there’s time to solve them before any damage has been done.
That initial check gives you a snapshot, but you really need a real-time overview if you want to manage your third-party risk properly. Evaluation should be ongoing and your security requirements must evolve to reflect the changing nature of your business and the continuous flow of new threats emerging.
Ultimately, if you’re going to trust a third-party vendor with your data then you need to be sure that they are adhering to your security standards, and the only way to do that is by putting them to the test.