Third-party vendors are the primary risk when it comes to data breaches — they’re usually the weakest link in the chain of protection. Third-party vendors include core providers like public clouds and Internet Service Providers (ISPs) and also specialized providers like consultants and HVAC companies. Organizations often have dozens or even hundreds of vendors but if there’s a breach at your organization, your customers won’t care whose fault it is. They’ll remember the problem was you.
Even if your own cybersecurity procedures are not as secure as you’d like them to be, you can (and should) take steps now to avoid a supply-chain attack. There are plenty of resources available to help you, from online standards and tools to experts who can guide you and test your system. Vendor risk management is doable. Here’s how:
Six steps to manage third-party vendor risk
- Assess where you stand right now
- Review the controls from the Center for Internet Security and the NIST Cybersecurity Framework to get an overview of cybersecurity risk management and some of the tools available to you (see below)
- Understand the types of data that your organization needs to protect and where it’s located
- If your organization needs to up its own game, consider doing a risk assessment to develop a blueprint for closing any gaps — but do not wait to finish fixing your own shortcomings before you ask your vendors to fix theirs
- Determine how to limit your exposure through your vendors
- Apply your organization’s risk appetite to determine which third-party protections are necessary
- Develop a written set of requirements for your vendors that also covers their subcontractors
- Make sure you’re aware of every vendor in your ecosystem so you can vet them systematically and by priority
- Determine what information you’re currently sharing
- Review the data that each vendor can access
- Confirm you’re only sharing information that each vendor needs to do its work
- If you find serious vulnerabilities, take action immediately
- Discuss cybersecurity with each vendor
- Let them know your organization is improving how it manages cybersecurity and share your new requirements with them
- Ask if they have a third-party attestation letter or other documented verification of their security practices — if so, see if it meets your requirements
- If they don’t have documentation or if the documentation doesn’t meet your requirements, give them time to review your needs and respond
- Establish verification of their security processes
- Ask each vendor to submit to your verification process or hire a third party to conduct regular audits
- Put your evidence requirements into their contracts moving forward
- Test and update your system
- Conduct regular penetration tests once your vendors have completed their improvements
- Continue to review and update your requirements as security risks change (which is constantly)
- If a vendor is unable or unwilling to bring their cybersecurity practices up to speed or is moving too slowly, determine if the risk is worth doing business with this vendor
Weighing costs and benefits
Updating and verifying cybersecurity processes and procedures can be time-consuming and costly, especially if there’s a lot of work to be done. A single cybersecurity audit, for example, can cost $20K – $50K or much more, depending on the situation. If you have work to do on your end you’ll need to budget for these improvements, too.
With third-party vendor risks on the rise, ignoring or postponing action because it’s difficult won’t help your organization stay in business. Businesses that suffer a significant breach may never fully recover, and there’s a permanent stain on their reputations. How many of these top breaches do you remember reading about?
Your key priorities are to avoid as much risk as reasonably possible, have vendor accountability across the board, and get insurance for what you can’t otherwise protect.
Where to turn for help
Luckily, there are plenty of resources for organizations that are ready to up their cybersecurity game and reduce third-party vendor risk — you are not alone in having this need. These are the two best places to turn for standards and guidelines:
Center for Internet Security CIS Controls
The Center for Internet Security is a nonprofit organization that works to help safeguard public and private organizations against cyber threats through global standards and best practices. CIS Controls™ is a set of actions and related resources that covers three categories of controls — basic, foundational, and organizational. It also offers risk management method called CIS RAM for CIS Controls V7 to implement and assess your security posture against the CIS Controls.
NIST Cybersecurity Framework
The National Institute of Standards and Technology (NIST) at the U.S. Department of Commerce provides technology, measurements, and standards to support U.S. businesses. It has created the NIST Cybersecurity Framework to provide guidelines that help organizations better understand and improve how they manage cybersecurity-related risk, and the Baldrige Cybersecurity Excellence Builder (BCEB) self-assessment tool to put those guidelines into action. When organizations protect themselves, they also help protect the U.S. economy and national security.
For an example of how the BCEB tool works, take a look at how the Information Security Team of the University of Kansas Medical Center put it to work.
What to do if your own practices aren’t secure
It’s important not to wait to get your own house completely in order before asking your vendors to do the same. Work on your cybersecurity issues at the same time – together, even, if that makes sense. Discussing how to improve cybersecurity as you work together will lead to better results.
As you dive deeper into the work of improving your cybersecurity posture, it can get increasingly complex. How far into each vendor’s ecosystem do you need to look and try to shore up? How might any security improvements affect performance? How much negotiating power do you have and what’s the best way to apply it? At what point is it better to change vendors to get more security?
Working with a service provider or risk management expert can streamline the process for you and get you where you want to be faster. Every day there are new risks — staying on top of the latest threats and best practices is how organizations stay secure. For two decades, Leapfrog has been investing in a continually updated security discipline that protects our clients’ ecosystems, including protecting them from risks from third-party vendors. Our team has seen a lot of changes over the years, and the shift to cloud-based computing and as-a-service solutions has brought a whole new set of complexities to be managed. We have a lot of experience selecting, optimizing, and managing core vendors, and we’re glad to provide our clients with the peace of mind that comes with being an SSAE-18 compliant provider.
We also work with partners who conduct comprehensive risk assessments and penetration tests and offer cloud-based disaster recovery solutions in case the worst happens. If you want to discuss your organization’s third-party vendor risk or how managing your security could put you in a better position to win new business, please contact us at Leapfrog.
If you liked this post, don’t forget to subscribe to FrogTalk, our monthly newsletter.