Protecting critical data does not stop at securing the devices on your network or even the employees of your company. In an increasingly complex environment, it extends beyond an organisation’s walls to the systems and networks of its ecosystem of third-party vendors.
According to a recent survey by the Ponemon Institute entitled ‘Data Risk in the Third-Party Ecosystem’, 37% of the 598 participants believed they would not be notified by their third-party vendors in the event of a breach involving sensitive data. Just 35% said they conduct frequent reviews of vendor management policies to make sure they address third-party risk.
When it comes to an organisation’s vendors, a breach in any link in the chain can have serious repercussions. If your organisation’s data is vulnerable due to the practices of a third-party vendor and that organisation failed to take steps to assess their security, in some instances the organisation itself may be found liable if there is an incident.
It is critical that businesses realize one simple fact – no matter their size, they supply goods and services and deal with suppliers of their own. In short, every business has vendors and is a vendor, and because of that, establishing a vendor management program is a vital part of mitigating cyber-risks to their organisation.
Establishing a Vendor Management Program
There are unavoidable risks associated with the loss of control that comes with outsourcing services. The fundamental task of a vendor management office is to gauge and monitor the risk posed by third-party vendors and ensure those risks don’t reach unacceptable levels. There are two major components to a vendor’s risk score. The first is the ‘inherent risk’, which is the risk of the proposed vendor service(s) pose to your organisation if no security controls are in place. In determining inherent risk, organisations should consider questions such as operational dependency and what network assets and data the vendor can access.
The second component is the ‘residual risk’, which is the risk the vendor poses after considering security controls to be applied. Each score takes into account the risk to business strategy, regulatory compliance, reputation, business operations, finance, information security and privacy and overall security. By breaking the score into these categories allows your organisation to focus on specific areas of risk posed by specific vendor services so that the approach to each vendor isn’t too general. For example, a vendor with access to another organisation’s financial information may need additional security controls other vendors may not in order to comply with the Payment Card Industry Data Security Standard (PCI DSS).
After establishing the residual risk rating/scoring, organisations should consider their own appetite for risk. If the residual risk score is higher than what your organisation is willing to accept for a particular type of service(s), it is time to insist on more stringent controls as part of the vendor contract negotiations or consider partnering with a different vendor. In some cases, the security controls your organisation requires will be determined by compliance regulations. In others, that may not be the case. Either way, it is vital for your organisation to conduct a risk assessment of a vendor’s environment to understand its security posture before signing a contract.
Proving Vendor Security
Perhaps the biggest challenge when it comes to vendor management is monitoring the security of your partners to ensure the needs of your organisation are still being met. Depending on the risk level of the vendor and the sheer number of vendors your organisation has to manage, it may make sense to approach this situation by relying on vendor attestations or external audits to ensure they are meeting the necessary requirements. Questionnaires are not uncommon, and neither is asking vendors to send documentation such as past audits that allows you to see what their security posture was in the past. If questionnaires are going to be relied upon, however, it is important that
the questions be specific to proposed services so that clear answers are received from the vendor and can be communicated to your upper management.
In other cases, a more thorough approach may be required. If possible, a security architect can examine the vendor’s network configuration, encryption, and other security controls are working correctly. A penetration test can also be used to verify a vendor’s security defences and whether or not they remain in compliance with the terms of the service level agreement. In addition, much can be gained by actually visiting a vendor’s site, which can give your organisation a sense not only of a vendor’s virtual security controls but their physical security defences as well, such as their security cameras.
A critical challenge however still remains – how does the organisation ensure the vendor maintain the necessary level of security. Standard questionnaires can only go so far, and configurations and controls can change at any time and potentially open up security holes. There is no easy answer to this, but regular communication between you and the vendor, as well as periodic checkups, may be necessary for vendors whose importance to business operations and access to data and assets make them high risk.
Building the right team to implement a vendor management program is of course critical. Whether it is determining security standards, coming up with service level agreements, or maintaining regular communication, vendor management requires coordination from the legal, IT, and business sides of an organisation. It also requires the ability to communicate risk to upper management. The risk scores provide a way to select the vendors best able to serve the organisation’s needs, prioritize them from a security perspective, and present that information to leadership.
Once a vendor has been selected, the priorities shift to monitoring compliance with the agreement and making sure the security levels agreed upon are being met and are still sufficient. While organisations seldom have the resources to assess every vendor with the same level of vigor, a strong vendor management program allows them to identify the ones that need the most attention.
A good start is to request your vendors to undertake the Layer 8 Security “Supplier Assurance Questionnaire”. This questionnaire is designed to identify any potential holes within a supplier’s systems and infrastructure.
From this questionnaire, you can identify areas that require immediate attention or may be a cause for not engaging the supplier at all.
Beyond this, contracts that outline the penalties for breach of contract or potentially cause a breach should be implemented and monitored for compliance.