It’s a commonplace practice for companies to use third-party vendors to improve business efficiencies, streamline operations and reduce costs. Many companies assume their vendors are managing digital security and, as a result, are less mindful in their own cybersecurity approach. Last year alone, we saw several organizations fall victim to cybercrime through their third-party vendors, including the following instances:
- proximately 150 million MyFitnessPal user accounts were hacked, exposing user names, email addresses and passwords—causing Under Armour shares to drop by 3%
- More than 160 Applebee’s restaurants leaked credit card information collected from customers
- More than 5 million credit and debit card numbers from Saks Fifth Avenue and Lord & Taylor customers were exposed when hackers planted software in an unsecure in-store point of sale system
While it is impossible to completely eliminate third-party security threats, the key to limiting your exposure is to take a risk-based approach. Our leading cybersecurity experts have assembled six tips to help you plan, prepare and carry out long-term assessments that will help your business strengthen its security:
1. Embrace the Power of Detection
Instill the importance of prevention at all levels, firm-wide. Lead with the reality that the costs of fixing a breach exceed the costs of preventing one. The third-party threat is real and requires constant vigilance to mitigate.
2. Check the Eggs in Your Basket
Make sure you cover all of your security bases before you hand over the keys to your business.
- Start with internal safeguards. Employ a multi-layered defense strategy that covers the entire organization—all endpoints, all mobile devices, all applications, and all data. These layers should include encryption and two-factor authentication for all network and data access requests from third parties.
- IT must keep up with software updates and patch management. Software patches and updates fix critical vulnerabilities as soon as they are identified, and are essential for these extra layers to be effective.
- Enforce a comprehensive data security policy for employees to follow. Educate your workforce on best practices and implement data classification, access rights and limitations protocols. Advise employees against giving any security credentials to unauthorized parties, and explain that stolen credentials are the top threat vector for third-party hacks.
3. Understand the Risks
Before you engage a third-party vendor, understand the possible threats to your organization. This will give you the background necessary to ask the right questions. Remember, if your company gets hacked, you will be held responsible – even if the third party is at fault – and can be exposed to various risks, including:
- Compliance – the violation of laws, rules or regulations, including disobeying internal policies, procedures or business standards
- Strategic – reflecting poor business decision making, or the failure to appropriately manage risk
- Operational – financial damages resulting from incompetent or failed internal processes, people, and systems
- Transactional – interruptions to services or the delivery of products
- Reputational – damages stemming from negative media attention and contributing to a negative public opinion of the company
4. Prescreening Questions
Now that you understand what’s at stake when proper cybersecurity protocol is not followed, refer to these questions when selecting a vendor.
- What resources will you need access to?
- What services are you going to touch?
- What information will you access, and potentially modify?
- What access and privileges will you need?
- Who will be responsible for monitoring the vendor?
Even the most trusted business partners can pose a high security threat if they don’t have their own best practices in place. For this reason, it is essential to continuously assess the security standards of your third-party vendors.
5. Third-Party Vendor Assessment
Some third-party vendors may only need access to your network, while others may need access to specific data. Your assessment should start by focusing on access, implementing a “least privilege” policy that outlines who can access your data and network, and what they can access. Review the use of credentials and understand who is using them within their organization. Also, limit temporary access as it could potentially open a door to increased vulnerability.
You should have them take part in thorough information security assessments and ensure that all contracts contain clauses that specify their obligations for their own employee background checks, as well as for engaging in employee security training and maintaining strong security controls. Require them to perform up-to-date patching and vulnerability protection. Establish an auditing or verification program in order to confirm that their contractual obligations are being accurately followed, word for word.
6. Create a Service-level Agreement
An effective way to take vendor-related threat strategy a step further is to create a service-level agreement (SLA) with a third-party. This will order the third party to comply with your company’s security policies. An SLA should cover elements such as information security, information privacy, threat/risk analysis and network/data access.
Fear is created when we function in a knowledge void. Understanding how to implement the necessary safety measures to prevent exploitations through a third-party relationship can reduce your chances of becoming a victim of a data breach or cyberattack. For more ways to secure your valuable assets, contact a CyZen cybersecurity advisor.
Compliments of CyZen, a member of the EACCNY