Your Vendors Are a Risk, Here is What You Can Do
It is likely your organization relies on third parties to sustain day-to-day business operations; two-thirds of companies do. Outsourcing has more than doubled between 2000 and 2012 from $45 billion to $99 billion respectively.[i] But how secure is your supply chain? Of the data breaches in 2013, 63% involved a third party.[ii] Organizations rely on third parties for any number of functions in the supply chain, many of which pertain to sensitive data or critical business processes. As a result, third parties frequently create access points into your network and attackers have realized that it is often easier to gain access to your network through third parties who may have weaker defenses and exploit it to their advantage.
Third parties are often an insider by default, with access levels equal to or greater than internal employees, depending on their function. The strength of the controls your organization implements to defend against a breach is only part of the battle because your vendors also present a significant risk if not properly vetted.
Despite that two-thirds of cyber-attacks involve third parties, only 32% of organizations require vendors to comply with their own policies. [iii] Any size organization may suffer a breach.
However to grasp the magnitude of the issue, just check the news and you will see headlines abound of well-known, trusted businesses breached through a business partner, and the damage can be immense:
- In November 2013, Target’s corporate network was breached after a phishing email duped at least one employee at a refrigeration contractor. The attackers installed Citadel, a banking Trojan which in turn provided the attacker Target login credentials. As a result of the breach, the intruders gained access to 40 million Target customer credit cards. The breach reportedly cost Target $252 million in expenses.[iv]
- AT&T recently agreed to pay a $25 million civil penalty from the Federal Communications Commission (FCC) resulting from data breaches at call centers in Mexico, Colombia, and the Philippines that exposed 280,000 U.S. customers’ names and Social Security numbers.[v]
- In August 2013, The Syrian Electronic Army was able to hack the websites of a number of high-profile media outlets including Time, CNN, and the Washington Post via a successful phishing campaign against Outbrain, a content recommendation service.[vi]
These attacks magnify the importance of finely tuned security practices as well as the necessity for effective third-party management. According to a PricewaterhouseCoopers (PwC) survey on US cybercrime, only 41% of companies actually have a process for assessing the cybersecurity of third parties they share data with. [vii] As organizations are developing their own security programs, many seem to have lost sight of an important fact: any and all access points into an organization’s network should be evaluated as a potential risk.
What can my organization do for TPRM?
Communicate with all stakeholders.
It’s vital to take a holistic approach to manage your organization’s IT security; where a lot of organizations fail is communication, particularly in managing third parties. Security personnel should not only be involved in contract discussions but throughout the entire vendor acquisition process. By establishing a process that accounts for both business needs and risk, third-party management becomes more efficient and it begins with executive support and communication between the stakeholders.
Establish a program.
In some industries, such as healthcare and financial services, third-party risk is driven by regulatory requirements. Regardless of your industry, if you care about protecting your data, you need to establish a system to monitor your vendors. By establishing a program comprised of both line of business and IT security personnel, your organization can create roles and responsibilities and develop a framework to assess third parties. “One size” does not fit for all organizations that work with vendors of varying functions and criticality; therefore, it is important to create an adaptable framework that meets your business needs.
Understand your relationships.
Do you know who has your data and where it is stored? Do you have third parties that also have vendors (these vendors are the fourth party to you) who may share your data? According to PwC, 69% of enterprises do not have an inventory of where their data resides.[viii] Creating an inventory may be a task, but it’s worthwhile. Additionally, your organization should establish a register or a profile of all vendors and have a strong understanding of the relationship including what data, if any, they process. This is where effective communication between IT security personnel and the respective business unit becomes so vital. Since business personnel generally work with the suppliers, they must be able to provide an in-depth register/profile of the relationship with the supplier to assess criticality and allow security to effectively apply controls.
Assess your third parties.
An effective program will attribute criticality to suppliers based on risk. Many organizations use this as the basis for a tier assessment system to accurately apply security controls to third parties. In many cases, the assessment is a questionnaire, but more critical suppliers necessitate a “trust but verify” approach, whether it be via remote presentation or onsite assessment, to ensure the proper controls are in place. Document the issues and follow through afterward; you may not be able to force remediation of all issues, but there is substantial value in creating a comprehensive supplier register/profile to evaluate and track risk.
Establish timelines for re-assessment based on criticality going forward, in addition, to establish checks between assessments to ensure that controls are implemented properly.
Research shows that the damage from a third-party breach is greater than a direct breach, increasing the cost per record by $14.80; not to mention collateral brand reputation and business costs.[ix] A marked increase in third-party breaches in an increasingly connected world means, as an organization, you cannot afford to ignore third parties in your organizational information security program.
[i] Closing the Gaps in Third-Party Risk Management: Defining A Larger Role for Internal Audit. Rep. no. 13: 978-0-89413-816-4. Crowe Horwath, The Institute of Internal Auditors, Nov. 2013.
[ii] "Outsourcing Risk: Who Pays Most When Customer Data Is Breached?" ASU W.P. Carey School of Business, 24 Mar. 2015. Web. Oct. 2015.
[iii] 2015 Global Security Report. Trustwave, 2015. Web. Oct. 2015.[iii] 2015 Global Security Report and The 2015 US State of Cybercrime Survey. PwC, July 2015. Web. Oct. 2015.
[iv] McGinty, Kevin M. "Target Data Breach Price Tag: $252 Million and Counting." The National Law Review. N.p., 26 Feb. 2015. Web. 16 Oct. 2015.
[v] Gross, Grant. "AT&T's Data Breach Settlement Called a 'slap on the Wrist'" Computerworld. 9 Apr. 2015. Web. Oct. 2015.
[vi] Bump, Philip. "Syrian Hackers Use Outbrain to Target The Washington Post, Time, and CNN." The Wire. 15 Aug. 2013. Web. 16 Oct. 2015.
[vii] 2015 US State of Cybercrime[viii] "PwC Viewpoint of Third-Party Risk Management." PricewaterhouseCoopers LLP, 2013. Web. Oct. 2015.
[ix] 2014 Cost of Data Breach Study: Global Analysis. Ponemon Institute LLC, IBM, May 2014. Web. Oct. 2015.