With the rise of next-generation technologies, companies have access to more data than ever and more opportunities to act on that data. To manage this massive influx of information, they’re extending their partner network to new third-party vendors. And although doing so is helping in ameliorating the data-volume challenge, it’s also presenting new security obstacles.
Some of the most devastating breaches in the past few years have been the fault of third parties. Take the Equifax breach, for example: 148 million people were affected because third-party vendors ran malicious code on one of its web pages. It’s no secret that mitigating third-party risks is crucial in the financial industry, but the problem is that third parties putting data at risk affects organizations around the world—no matter what industry they’re in.
So what’s the solution? It’s time to get your vendor ecosystem in check. With the myriad of risks that enterprises encounter when giving third-party vendors access to their network and data, vigilance is of utmost importance. The following best practices can help secure your business networks and set a foundation for successful third-party-risk management.
1. Assess Your Own Hygiene
According to research from the Ponemon Institute, 50 percent of organizations don’t know who has access to their data, how they’re using it or what safeguards are in place to mitigate a security incident. Additionally, a Bomgar report found that 66% of organizations claimed they could have experienced a breach owing to third-party access in the last 12 months, and 62% owing to insider credentials. This situation is largely due to the lack of resources to track third parties, the complexity of technology and a breakdown in communication among people. After a series of high-profile data breaches this year—such as Under Armour, TaskRabbit and MyHeritage—the need for organizations to actively protect against data breaches has never been greater.
Gartner predicts that cybersecurity spending will reach $113 billion by 2020, but even though some of today’s enterprises are spending more than ever to stave off a devastating attack, it might not be enough. If you lack visibility into the “who,” “what” and “where” of everything occurring on your end points, you could be one rogue system or unpatched application away from a catastrophic breach.
To ameliorate third-party threats, start by assessing your own security hygiene. First, enact a multilayered defense strategy that covers your entire enterprise: all end points, all mobile devices, all applications and all data. Those layers should include encryption and multifactor authentication for all network- and data-access requests from third parties. You can never have too much security—but the extra layers of security won’t function well unless your IT department is actively updating software and managing patches in a timely fashion across the network.
2. Choose Third-Party Providers That Improve Security, Not Jeopardize It
It’s important to take your time when selecting third-party providers. Assess your dependency on vendors, third parties and business partners. Some third-party vendors only need access to your network, whereas others need access to specific data. Your third-party assessment should focus on the following items:
- Compliance: New regulations have increased pressure to enhance third-party due diligence. The companies that hire third parties are also responsible for keeping their third-party risks and compliance violations monitored, measured and tested. Noncompliance with these regulations can result in expensive fines, penalties and prosecution, not to mention reputational damage.
- Internal processes: Third-party vendors must be held responsible for establishing their own security processes. It’s also crucial that they vet their own employees to ensure comprehensive monitoring and reporting on issues that may arise. Require them to have up-to-date patches and vulnerability protection. Determine whether they’ve had any incidents over the last year, if they’re in the clear and whether they’ve learned any lessons.
- Establish a “least privilege” policy: Confirm who can access your data and network and, specifically, what they can access. Regularly review the use of credentials with your third parties and determine who is using them in the partner organization. Also, limit temporary access, as it increases vulnerability.
No matter how much you trust a third-party vendor or how long you’ve worked with it, you must continuously assess the vendor’s security standards and technology. Companies with robust due diligence and third-party governance stand to benefit in many ways.
3. Perform Phishing and Password Training
Security processes and technology are useless if your staff isn’t trained on best practices. If your employees have access to sensitive information, communicate your company’s policies and procedures to them effectively. When it comes to data protection, everyone should know their role.
Even with the securest people and technology, the weakest link in your organization’s security can be its own employees. Unsurprisingly, phishing scams have become a major threat plaguing enterprises globally. More than 90 percent of breaches owe to phishing attacks. The sophistication of these attacks is constantly improving, with savvy hackers thinking of new ways to target vulnerable employees.
Education is the key to prevention: findings from a Wombat Security survey revealed that nearly 30 percent of employees don't know what phishing is. Furthermore, ransomware is an unknown concept to nearly two-thirds of workers. Ensure that you—and your third-party vendors—are continuously training workers to identify and report suspicious emails. Doing so will effectively turn your workforce and vendor ecosystem from the weakest link to a strong first line of defense. Also ensure that employees assess messages and emails before opening them. Double checking a URL before opening an email and determining why an email appeared in the first place are great first steps in improving this process.
4. Know the Regulatory Scenarios
With more-stringent data regulations going into effect, organizations must rethink their compliance process. If you handle data in any way, you’re likely aware of the EU’s General Data Protection Regulation (GDPR) and its wide-ranging implications for U.S. companies that process any EU data. Despite many organizations’ efforts to bring themselves into compliance in advance of its May 2018 deadline, they were simply insufficient. But what about your third-party vendors? Are they taking the necessary steps toward GDPR compliance now that it’s in effect?
Under the new rules, any third-party processor is now directly responsible for its compliance. Both the third-party processor and the organization handling the data are obliged to determine what data is being shared, why it’s being shared, why it’s being stored and whether operations must change.
It’s a big undertaking, but it’s an important one. Organizations should restrict third-party access to sensitive data, complete an information audit to determine the data flow to third parties, collect only the data that serves a legitimate purpose and make sure that all major leaders are aligned. To ensure continued GDPR compliance, they must look beyond their own processes and ensure their third-parties are regulation ready. Otherwise, you may be on the hook for regulatory fines or the looming risk of a third-party data breach.
Successfully managing third-party vendors is ongoing practice, not a one-time task. Organizations of all sizes and industries need to treat their extended network as part of their own security family. Although one organization’s requirements may not be the same as another’s, all businesses have a responsibility—to themselves and their customers—to implement measures that are appropriate to their unique risks and needs.
About the Author
Kevin Alexandra is principal technical consultant for Avecto.