(UPDATED) One of the most important things we’ve learned from the SolarWinds hack is organizations need to include all software and apps in their inventories of third-party vendors.
Historically, third-party vendors have been a primary risk when it comes to data breaches — they’re often the weakest link in the chain of protection. Third-party vendors have included core providers like public clouds and Internet Service Providers (ISPs) and specialized providers like supply chain vendors, payroll companies, distribution services, and HVAC or electrical contractors.
Now software providers must also be considered third-party vendors.
Your organization may have dozens or hundreds of vendors, and if one of them becomes compromised, you be compromised, too. Today, asking each vendor to verify its security practices is part of doing business, as is tracking which apps are being used where and for what.
Many organizations are concerned about asking their vendors to follow best cybersecurity practices before they’ve gotten their own up to par. Don’t wait. Ask now. You can improve your security posture as they report on (and improve) theirs.
Steps to manage third-party vendor risk
Fortunately, there are plenty of resources available to help you to improve your cybersecurity practices, from online standards and tools to experts who can guide you and test your system. These steps outline how to think about securing your IT environment, engage with your vendors, and limit your risk:
- Assess where you stand right now
- Review the controls from the Center for Internet Security and the NIST Cybersecurity Framework to get an overview of cybersecurity risk management and some of the tools available to you (more details below)
- Understand the types of data your organization needs to protect — some data is critical to business operations and some isn’t — and where the critical data is located
- Understand the loss value to your business, including financial and reputational loss, if this critical data were to be lost or unavailable
- Review what’s involved in a risk assessment, the most effective way to find and fix your shortcomings
- Determine how to limit your third-party exposure
- Compile a list of every vendor and app in your ecosystem
- Meet with your leadership team to determine the level of risk your organization is comfortable carrying
- Based on your risk comfort level, determine which third-party protections are necessary for your organization
- Develop a written set of requirements for your vendors — make sure it covers their subcontractors as well
- Develop a verification process for vendor compliance with your requirements
- Review the data each vendor is accessing
- Confirm your organization is only sharing the information each vendor needs to do its work
- Stop sharing non-essential data with vendors, especially personally identifiable, financial, and proprietary information
- If you uncover any serious vulnerabilities during your review, take corrective action immediately
- Discuss cybersecurity with each vendor
- Contact each vendor to let them know your organization is improving how it manages cybersecurity
- Share your new set of written requirements with each vendor
- Ask if each vendor for a third-party attestation letter or other documented verification of their security practices
- If a vendor has documentation, make sure it meets your requirements
- If a vendor doesn’t have documentation or if their documentation doesn’t meet your requirements, give them time to review your requirements and respond
- Establish ongoing verification of their security processes
- Ask each vendor to submit to your verification process or hire a third party to conduct regular audits
- Put your requirements and verification process into their contracts moving forward
- Test and update your system
- Establish a process for continually reviewing and updating your requirements as cybersecurity risks change
- Conduct regular penetration tests once your vendors have completed their improvements
- If a vendor is unable or unwilling to bring their cybersecurity practices up to speed or is moving too slowly, determine if the risk is worth doing business with this vendor
Where to find established standards and guidelines
These are the two best resources or detailed cybersecurity recommendations and processes:
Center for Internet Security CIS Controls
The Center for Internet Security is a nonprofit organization that works to help safeguard public and private organizations against cyber threats through global standards and best practices. CIS Controls™ is a set of actions and related resources that covers three categories of controls — basic, foundational, and organizational. It also offers a risk management method called CIS RAM for CIS Controls V7 to implement and assess your security posture against the CIS Controls.
NIST Cybersecurity Framework
The National Institute of Standards and Technology (NIST) at the U.S. Department of Commerce provides technology, measurements, and standards to support U.S. businesses. It has created the NIST Cybersecurity Framework to provide guidelines that help organizations better understand and improve how they manage cybersecurity-related risk and the Baldrige Cybersecurity Excellence Builder (BCEB) self-assessment tool to put those guidelines into action. When organizations protect themselves, they also help protect the U.S. economy and national security.
How to work together
Remember, it’s important not to wait to get your own house completely in order before asking your vendors to do the same. Work on your cybersecurity issues at the same time – together, even, if that makes sense. Discussing how to best improve cybersecurity while working together will lead to better results.
Before you begin the conversations with your vendors, leadership should determine:
- How far do we need to look into each vendor’s ecosystem to shore up our own security?
- How might security improvements affect performance?
- How much negotiating power do we have and what’s the best way to apply it?
- At what point is it better to change vendors to get better security?
- How much will it cost us to make the improvements on our end?
Regarding your software and apps, ask:
- Have we documented what information each app can access?
- Have we documented how to quickly uninstall and patch each app?
- Has each app provided us with a cybersecurity bill of materials (CBOM)?
Think of managing third-party vendor risk as a continuing process of improvement. Done properly, your process will improve and become more effective over time yet there’s no point at which you and your vendors can stop paying attention to it. As long as there’s technology, there will be hackers.
What to expect when you’re improving
There’s no getting around the fact that updating and verifying cybersecurity processes can be time-consuming and costly, especially if you have a lot of improvements to make. A single cybersecurity audit, for example, can cost up to $50K or much more, depending on the situation. If you have groundwork to do on your end — such as building your inventory of third-party vendors and selecting the security controls for each — you’ll need to budget for these activities, too.
Ignoring or postponing action, however, won’t help your organization stay secure. Businesses that suffer a significant breach may never fully recover, and there are often legal implications or permanent stains on their reputations if they do.
Your goals when guarding against third-party risk are to avoid as much risk as reasonably possible, have vendor accountability across the board, and get insurance for what you can’t otherwise protect. Working your inventory in priority order will help you focus your energy and spending.
A service provider or risk management expert can help streamline the process for you. Experts stay on top of the latest threats and best practices and can help you systematically tackle even the most complex situations.
- For comprehensive risk assessments and penetration tests, choose a partner with a solid track record and familiarity with your industry.
- For guidance on dealing with the SolarWinds hack, the cybersecurity company that discovered the trojanized SolarWinds software update, Fireye, offers some specific techniques and opportunities.
- For a long-term cybersecurity partner, choose one that has at least ten years of experience and deep knowledge of the best ways to manage third-party risk, including cloud-based services. Leapfrog has prepared a Cybersecurity Partner Interview Guide to help.
If you liked this post, don’t forget to subscribe to FrogTalk, our monthly newsletter.