With the digital transformation of our communication systems and the development of cloud and edge computing, the enterprise perimeter is fuzzier than ever. This has helped to open up communications with an extended, and often global, vendor network.
The new mode of vendor management is about building an ecosystem, often within a complex matrix, where third parties cross the enterprise line by using technology to bridge the divide. This ecosystem is not one-way, either: It has to support multi-directional communications, and this builds even more complexity into the whole community.
Technologies such as the Internet of Things (IoT) are increasingly being used to connect the vendor community. Data is flowing across channels and out to the edges of computing, to endpoints that may or may not be known to the parent organization.
This situation is developing within an already-aggressive cybersecurity landscape. Adding in multi-directional, highly-connected, extended endpoints only makes the resulting data matrix more difficult to manage. Over 18.5 million data records are lost or stolen every day, and in a Bomgar survey, 69 percent of respondents said they had suffered a data breach because of third-party vendors.
To manage third-party risk, we must have a set of best practices to follow to ensure that our vendor security is as good as we can make it.
Best Practice #1: Open Your Eyes to Your Vendor Ecosystem
If you have to manage a wide community of vendors, you may not have full visibility of the entire vendor ecosystem. A 2017 Ponemon Institute study of third-party vendor risk found that, on average, 471 partners in the ecosystem had access to sensitive data — an increase of 25 percent over 2016. Having visibility of where data goes and who has access to these data is a critical first step in managing the risk to your confidential and sensitive information. Develop an inventory of your vendor network and map their data access. This map of third-party vendors will then inform Best Practice #2 below.
Best Practice #2: Know Who Owns the Information Risk
Ownership of risk should be looked at in an overall risk assessment exercise that covers the entire third-party vendor matrix. Information security risk is something that touches all vendors, including subcontractors. Having an extended ecosystem view allows you to see that risk can enter the chain at any juncture. To determine the risk model and know who owns risk, you should follow steps to:
- Identify vendors across the extended chain
- Classify vendors based on their interaction with your organization
- Map risk types to the vendor
- Assign a risk level to the vendor/risk type
- Use the above to create a risk assessment model
Make this part of your security policy, and it can be used to generate the intelligence you need to carry out the next Best Practices.
Best Practice #3: Evaluate the Cybersecurity Strategy of All Ecosystem Vendors
As well as understanding risk and mapping the access to information across the vendor network you should also look at how third parties protect data. A PWC report into the global state of information security found that almost half of companies did not have any security standards for third-party vendors. Many regulations now expect that data security and privacy is extended to include the actions and measures of third parties. For example: Laws such as the General Data Protection Regulation (GDPR) are designed to ensure that a company using a third-party vendor to process data is GDPR-compliant.
When working with third-party vendors, you will need to carry out due diligence on what security strategies they have in place and which privacy measures they have taken to ensure data integrity, security and confidentiality are upheld. These measures should reflect those that your industry has to comply with. For example, does the vendor use a security awareness program?
Best Practice #4: Use the Right Technology for Access Control and Monitoring
Trust is a precious commodity in the world of cybersecurity. It is the basis of many cybersecurity hacks and needs to be used sparingly with layers of technology to enforce it. On average, 89 vendors per week access a company network. Access needs to be done on a privileged basis. Create an inventory of access roles and make sure that access is given on a need to know basis.
Then, with identified roles in place, add in layers of protection to these privileged access roles — apply a “Trust, but Verify” model. The methods you can use to apply the verification depend on the application, but if at all possible, use:
- At least a second factor for login that comes under the “something you have” list of factors
- Risk-based authentication, i.e., apply rules to access so that if an access attempt occurs outside of specified domain (for example) additional layers of authentication are applied
Many insider threats originate at a third-party vendor and include some of the largest cyber-attacks in history, including the infamous Target Corp. Data breach. Wherever appropriate, use monitoring tools to look for trends and patterns of unusual behavior.
Best Practice #5: Don’t Sit Back — Continuous Improvement of Third-Party Security
Cybersecurity threats don’t stand still. The landscape that we have to deal with is ever-changing. All organizations should have a proactive approach to risk management and this should extend to your third-party security management. Continuously assess your vendor network and their own security policies. Make sure they are in line with your expectations and compliance requirements. Set a third-party security management committee in place to oversee vendor risk assessment and management as an ongoing concern. Reflect this in your own security strategy and policy document that vendors have sight of and sign up to.
Third-party security will become a first-party issue if you do not take the same careful approach to your vendor security procedures as you do your own.