We all know the prevalence of cybersecurity threats and the damage they can pose to the operations and reputation of a company following an attack – but what most may not know is that more than half of these breaches are not due to an actual external intrusion, but are caused by a third-party vendor who was not as stringent in their cybersecurity protocols, a recent study revealed.
Given the recent examples of the Singapore Airlines data leak through a passenger service system, Singtel’s Accellion File Transfer Appliance breach and breach of 30,000 e2i client names from a malware attack – it’s evident there is a need to address the management of third-party IT vendors for robust cyber resilience.
Security considerations do not stop at the perimeter of our networks. We must take into account the posture of vendors who process our data, integrate with our systems, or those who we rely on in our day-to-day operations.
After all, an organisation's security posture is only as strong as its weakest link, and whether we want to believe it or not, vendors have become an integral supply chain supporting our business operations.
For companies that run on a lean team, the concept of outsourcing a tech responsibility, process, or function that is not easily hireable is natural to allow existing staff to make the most effective use of their time. Outsourcing your IT is a great way to efficiently tackle those tech needs, but how secure is the portfolio of vendors you’ve partnered with? Are they protecting the confidentiality, integrity, and availability of data and access in the same way you would?
Most importantly, do you understand the security gaps and risks that your vendor relationships expose you to over time? If you don’t have a quick answer to all of these questions, then chances are you are neglecting an essential component of your organisation's cyber resilience strategy.
Third-party risk management is not a one-time review
An IT security review does not mark the end of third-party risk management processes. If your program is tracking the actions this far, chances are you’ve identified some gaps in a few vendor’s processes. Don't just document the deficiencies and send them on their way, you have to follow up.
Major deficiencies should be documented on both ends and followed up on based on the set milestones. Companies should also do their due diligence by ensuring remediations are allowed within the contact language so that unforeseen circumstances can have the legal space to be addressed.
Additionally, when there are major documented vulnerabilities, you should be asking ALL of your vendors if they are impacted as that will have a downstream effect on your cyber resilience.
Companies must create the capability to hold their most critical IT vendors accountable for quality proper security protocols. You can do this by implementing the four essential components to managing third party risk:
- Identify: Understand your vendors and how they impact your cyber resilience
- Prioritise: Tier them in terms of their importance to your operations and potential to adversely impact them in the event of a breach
- Evaluate: Develop a process to evaluate that fits the vendor and your needs
- Persist: Managing your vendors is a continuous process, not a one-time event
Next time there is a major vulnerability in a common piece of technology that is experiencing automated compromise, ask your vendors if they, or any of their critical vendors, were impacted and what they are doing about it. Until then, take a vendor inventory, prioritise them, evaluate them, and persist in these processes.
Do a vendor inventory
Any IT or security practitioner could tell you that the foundational step to any good initiative is knowing thyself, which means understanding your security posture. We take a detailed and comprehensive assessment of tracking of our goods and services we offer our customers, so why not inventory your vendors as well?
Without a general understanding of what vendors are used in your organization, chances are you will not be able to identify the actual vulnerable points in your third-party risk portfolio.
The taxonomy of your procurements plays an important role here. Every vendor coming in or going out should be accounted for, and properly identified in a system of record based on the type of service and relationship. That system of record can be in technology too, or a simple spreadsheet. The key here is simply developing processes and maintaining them.
Centrally managing a vendor portfolio has many advantages, only some of which are security- and risk-based. With a good understanding of what exists you can now evaluate redundancies and unnecessary relationships in a single place.
Do you actually know your IT vendor?
Not all vendors are created equal, and it can be difficult to explore the depths of each vendor in your vendor portfolio, especially when dealing with limited security resources.
In a world where risk management is a luxury, prioritise our efforts to those vendors whose compromise could introduce the greatest damage to our organisation or cause a significant disturbance to our operational tempo.
The prioritisation, or the tiering of vendors, can be used to guide a series of processes in the vendor management cycle:
- Set a cadence for vendor diligence across the enterprise
- Define specific requirements for vendors at each tier
- Fast track the procurement processes for low-risk vendors
- Allow prioritisation of investigation into high tier vendors
Here are some key criteria that should be considered when assessing and tiering your IT vendors. We have a Vendor Assessment Cheat Sheet in case you need one.
How to properly assess your IT vendors
As the complexity of vendor relationships evolves, so should the methods by which we assess them. The era of the standardised checklist has come and gone and yet many organisations continue to rely solely on a checklist's ability to gauge complex security processes. This is like trying to quantify a three-dimensional problem with a two-dimensional approach.
Now that you have developed criteria for identifying your most critical vendors, you can take a step back and develop a proper way to assess them–one that measures vendors in a way that mirrors your internal requirements.
In most cases, those Tier 1 vendors should be treated as an extension of your organization, and thus, you should ensure they have similar or better policies, procedures, processes, and capabilities than those you have set for your organization.
It becomes imperative to ask yourself if this particular vendor were to be breached, what would be the impact on our operations and those of our customers? Assess the vendor against those priorities. If availability concerns you, build firm Service Level Agreements (SLA) into the contract and ensure they have an adequate response plan in the event of an incident.
Be sure their business continuity plans are built and tested to withstand the unforeseen, not just to comply with a requirement. If your concerns are primarily around data, then be sure the proper access controls are built into their environment, peel a layer deeper, verify encryption standards are adopted, ensure audit trail logs are reviewed, etc.
The scenarios could go on forever, but the important thing is not to overlook gaps in the vendor’s processes and orient your assessment based on a firm understanding of what they do for you and how it impacts your resilience. It's very easy to take credit for the existence of a process, but proving its effectiveness and efficiency through documentation is much harder to do.
So be sure to investigate further, ask questions, meet with the right representatives, and document their plans to address any issues or concerns. Remember, you’ve prioritised a handful of these vendors as critical, it's time you start treating them that way.
If such plans do not exist, then work with them to develop a plan of action with milestones. This will help them track progress to meet the desired solution. If this option is not on the table, be sure you have a system in place to transfer the risk back onto the vendor or establish compliance via contractual language.
Best practices and assurances can no longer be expected, they should be delivered as requirements when entering a vendor relationship, if not upheld, all or part of the damage should be assumed by the vendor.
Contractual security language will not only protect you by having vendors abide by best practices, but it will set the cadence for the relationship. It will bind both parties to the standards that should be met in the event of an incident.
Things like incident response, data retrieval, data ownership, rights to an assessment, etc. should all be termed upfront in these relationships. These may seem like basic requirements, but when push comes to shove, you’ll be glad your legal team can call upon these clauses to expedite a response or an action from the vendor.
Ryan Weeks is the CISO of Datto