A key aspect of protecting your business from third-party vendors is often overlooked. Sharing information, software, or access to your computer network may be part of your business. This can pose a security risk. It is your responsibility to protect any information you share with third-party vendors. If the vendor has a data breach you are responsible for notifying regulators and customers. Hackers can also use connections between companies to move from one company to the next. The recent incident at solarwinds is a good example. Solarwinds is a software company. Once hackers had compromised solarwinds, they added malware to their latest software update and sent it out to all their clients. After the software update was installed, the malware infected the clients. BEC (business email compromise) is another example. A hacker could send you an email with malware disguised as a regular attachment if one of your third-party vendors is hacked. You are likely to open the email and click the link. These are just a few examples of third-party risks that can be added to your business. You want to protect yourself from such risk. Here are three major categories of risk that can be associated with third-party services.
Network Security: If another company gains access to your network insecurely, this could lead to hacking of your company. This can be very costly to repair. Cyberattacks can cause share prices to drop by 7% and cost more than $3 million.
Regulatory: Where a third-party vendor has your company’s data and is not in compliance with any of the regulations that are applicable to your company. It is your responsibility to ensure that all third parties with which you share information are complying with applicable regulations. If you fail to comply, your business may be subject to fines and/or suspension.
Operational: Any disruption in your company’s operation that prevents you from providing products or services for your customers. This is most common if you use a cloud provider. Your website will be unavailable to customers if the server hosting it goes down. This will result in your business losing revenue. This can prove disastrous for your business if your company uses a high-uptime business model such as Netflix.
How to reduce third-party risk
Identify your third-party vendors along with their contact information: Keep a list of all vendors your company uses, including their contact information and terms of service.
SLA: Your service level agreement should clearly outline the services that you will be receiving. It should, for example, guarantee that there will be a certain level of uptime. If the service is not provided it should also outline what steps will be taken to remedy the situation and provide any compensation if it’s not possible to recover. It is important to have your company’s written notification in case of data breaches.
Use Industry Standard vendor assessments: To assess your vendor’s risk level, you can use assessment programs from well-known vendors such as Adobe or Microsoft. These are the security measures that they evaluate for every third-party vendor who stores or processes company data. Security Boulevard has some examples of common things you should look for.
- Assertion Security Practices: Exam of security certification attestation report (SOC II Type II, ISO 27001), and internal security policies.
- User authentication: Access control processes, password policies, and support for multi-factor authentication
- Logging and Audit: Information about network logs, retention periods and system/app/network logs
- Data Center Security: Physical security measures at locations where company data is stored
- Vulnerability Management and Patch Management: Assessments of vulnerability and pen tests, as well as a timeline for remediation
- End-point security: Policies that provide end-point protection
- Data encryption: Encryption in transit and at rest
You can also use vendor-neutral industry standards to assess your vendor’s risk management. Here are some examples:
– SOC 2
-Consensus Assessment Initiative Questionnaire
-NIST Risk Management Framework 2.0
-CIS Critical Security Controls
Provide as little information possible: You want to ensure that you give only the information necessary to enable vendors to complete their work. Every piece of information that you provide to vendors should have a business purpose. You should also make sure that the information is not able to be used to identify individuals. A social security number is not useful by itself, but it can be used to identify people if they have their first and last names. It is best to break down the information as much as possible so it cannot be used to harm anyone. Data anonymization is a process that protects private and sensitive information by erasing and encrypting identifiers that link an individual to stored data.
Keep an eye on the news about your vendors” As we mentioned, if vendors are affected by a data breach, you will ultimately be responsible for that information. It is important to keep track of your vendors and monitor any potential data breaches to ensure that you are on the right track with your notification requirements and take all necessary steps to protect your consumers’ information.
You can get involved in a data breach: There are two main goals if your vendor is affected by a data breach. First, you need to determine if the breach directly impacts your company’s security. If they are able to access your network and have caused a malware epidemic, then you should consider whether it has spread to your company. You should also check if the vendor has hacked someone’s email account. This is because it could have sent phishing emails to your company if anyone clicked on the link, downloaded any attachment, or otherwise affected your company. You should also request a vendor statement confirming that any company information has been leaked. This is essential to prove that you investigated the incident thoroughly.
Create a consistent onboarding and offboarding process for new vendors: Onboarding is a time to ensure that your vendors are familiar with your information security policies and procedures. Also, make sure that they have read any compliance requirements you have and agreed to follow them. It is important to off-board vendors once your business relationship ends. This means that they must delete all information about your company from their systems, and you should get written confirmation that they did so.
Security Ratings: You have the option to use security ratings in order to track how secure your vendors and vendors are. Bitsight uses open-source intelligence to assess your vendors. You can monitor multiple vendors at once and save a lot of time compared to doing the research yourself. You can have them set up to notify you if your vendor is mentioned in the media for a data breach. These tools can be expensive and not always free.