Across today’s global business landscape, turning to third-party entities to support operations is commonplace. It’s not surprising, then, that 82% of companies today provide high-privilege data access to vendors and suppliers.
Yet vendors are just as vulnerable in the face of fast-escalating cybercrime as anyone, especially when cybercriminals favor third parties as an “in” to penetrate larger systems.
Kapersky’s IT Security Economics Report notes vendor incidents were the costliest enterprise data breaches of 2021, from mass identity fraud via a file transfer application to a vendor leaving three million Volkswagen customers’ unsecured data exposed.
Here in 2022, security experts at Forrester say 60% of all data breaches will occur due to third-party issues. So even if your internal security hygiene is excellent, and your privacy practices are near perfection, your vendors’ vulnerability just took the dangerous lead in ways you’re most likely to be compromised.
An invasion of a vendor’s security measures can petrify your systems as well, grinding functionality to a halt. An attack on your data privacy can expose your customers’ or patients’ confidential information, with the potential to cascade into a host of other problems—regulatory fines, lawsuits, revenue loss, and significant damage to your organization’s public reputation. These are overnight disasters that can begin with a simple phish in your vendor’s inbox.
Given what’s on the line with your partner relationships, what exactly should you be looking for in vendor security? How can you keep your partners’ practices honest, your data safe, and your supply chain security up to snuff?
Start by organizing and evaluating your options for a secure vendor by identifying risk levels among your candidates. Categorize prospective partners by the potential risk they pose to your organization—specifically focusing on the ways their vulnerabilities could feed into your worst case scenarios. Also note what, if any, cybersecurity and compliance standards they operate by independent of partnering with you.
Find out their most common threats (no one should tell you they’ve never had any type of threat—everyone gets phished these days!)and whether they’ve experienced any major security breaches in the past, and if so, what they learned or changed as a result. What kind of tools do they use in their assessments; are they comprehensive and reliable, or surface-level? Make sure they know their way around your industry-specific regulations, which is particularly important if you’re in a highly regulated industry.
Throughout the selection process and beyond, you’ll also need a running register of all vendor candidates and their risk profiles—not just for determining your choice, but for documentation and liability mitigation should something go awry in the future with your chosen partner(s).
By partnering with a third party, you’re expanding the attack surface for cybercriminals to target, so you’ll also want to vet your vendors’ vendors. Chances are your chosen provider isn’t the only link in the supply chain to which you’re attaching your organization. What vendors do they use? What is the state of their security posture?
In the meantime, you can give your employees additional training on third-party information security and prepare your own data defenses with a Zero Trust security model. A Zero Trust model “levels the playing field” when it comes to security clearance and mandates multi-factor authentication and biometrics for users of all privileges. As you bring new collaborators into the fold, it’s important to maintain the same levels of security across the board—this will dissuade cybercriminals from using provider clearance as a weak point from which to wedge their way into your systems.
Get serious about cyber defense.
Heading Off Headaches
According to Garner’s Third Party Risk Management eBook, over 80% of legal and compliance leaders find risk issues in their vendors after they’ve already partnered up. To prevent such a wake-up call, consider requiring vendors to prove their IT security stature with recent results from comprehensive risk assessments, penetration testing, and compliance audits.
During and even before partnership, conduct third party risk management (TPRM). TPRM can be a multi-pronged approach, but the overall point is to develop contingencies for the ever-evolving risk factors of a third party provider, while keeping your finger on the pulse for any sudden changes. And like you, a vendor should have a sound incident response plan, with remediation strategies for potential data breaches.
Experts further recommend mandating vendor management risk assessments, which can be embedded in your third-party contracts, as can the requirement that vendors disclose cyber incidents when they occur, giving your organization time to prepare for the worst and set mitigation strategies in motion.
Monitoring your vendor’s cybersecurity stance encourages both parties to keep their compliance requirements up to date, and motivates the development of actionable plans for risk mitigation. It can also be the first step in a long-term, mutually beneficial business relationship, and a flourishing, well-kept technology ecosystem between your two entities.
Final Note About Your TSPs…
A comprehensive risk management approach governs both your internal team and your external partners. BAI Security’s Vendor Management Risk Assessment ensures your Technology Service Providers (TSPs) are held to your same in-house standards of risk management, security, and privacy.
Our expert auditors will verify that your service providers’ controls are operating safely and soundly, meeting appropriate industry standards, and adhering to applicable regulations using the National Institute of Standards and Technology (NIST) Cyber Supply Chain Risk Management Practices for Systems and Organizations (NIST SP 800-161 Rev.1). In-scope areas for this assessment include:
- Management Responsibilities
- Risk Management
- Contract Issues
- Ongoing Monitoring
- SOC Report Evaluations & Gap Assessment
To help ensure your security, as well as your partners’, meets your standards, contact us today.