How do you break into a bank? In the old days, burglars would dig their way into the vault from a basement next door.
In today’s digital economy, hackers don’t barge through the front door, either. They are looking to circumvent the cybersecurity barriers of financial service providers and other security-conscious companies by targeting potential weak spots on their IT periphery - such as less guarded software vendors or law firms with access to the bank’s network.
How can companies assess and manage third-party risk? Vendor risk management ranks high now on the agenda of enterprise CIOs and CISOs in the financial services industry and its business partner ecosystem. But what about other sectors?
Law firms were the first to feel the pressure, as described elsewhere on this blog. Yet in many organizations, regardless of industry, the IT infrastructure continues to remain under threat through undetected and unmitigated vendor risks.
You may have heard how vendors contributed to recent large-scale data breaches at retailers, healthcare providers and government agencies.
To be clear - third parties didn’t “cause” these data breaches by themselves. The surveys and research results covered in this post illustrate an endemic lack of vendor risk awareness and management.
The good news for today’s IT leaders is that they can rely on a new breed of SaaS-based vendor risk management tools and services to put the fix in.
A more systematic, data-driven approach is direly needed to prevent further damage.
If your company's vendor risk management meetings feel like this, it's time to reassess.
Photo: Tropical Pete on Flickr
Blind Trust in Vendors Puts Enterprise IT at Risk
For their 2016 Vendor Vulnerability Index [PDF] researchers at secure access solutions provider Bomgar explored the overall grasp that organizations have of how external parties access their IT networks.
The results are sobering. 69 percent of the 608 key decision makers who responded to the survey stated that their company had definitely or possibly suffered a data security breach from vendors accessing their IT infrastructure.
The study included companies in the United Kingdom, the United States, Germany, and France. It reveals that on average, 89 third-party vendors accessed a typical company’s network each week - a number that has likely grown since the study was published.
Its findings indicate a high level of blind trust in third-party vendors, who are often simply handed the keys to the organization’s data kingdom. Rather than granting specific, limited levels of access for various suppliers, 44 percent of the surveyed companies practiced a “full or none” approach to vendor access.
If nothing else, Bomgar’s Vendor Vulnerability Index underlines that third-party cybersecurity risk management deserves more attention.
The results suggest a laissez-faire attitude towards supplier-side cybersecurity that may well explain the recent wave of vendor-related data breaches.
Prime examples are Target, the federal Office of Personnel Management (OPM) (for details, read this report by the House’s Oversight Committee [PDF]), major universities and many healthcare providers .
Vendor contracts that include provisions for data breaches are necessary. But they cannot protect a company against the breach itself.
Which is why CISOs should vendor-proof the IT infrastructure, by putting mechanisms in place to limit access to resources, manage the credentials and track the activities of onsite and offsite contractors when they access the company’s resources.
Following the example of leading financial institutions, they may contractually require third parties - a law or accounting firm, say, IT contractors or a recruiting agency - to use a secure browser such as Authentic8’s Silo when accessing company resources online.
Read / download:
Bomgar: Vendor Vulnerability Index 2016
Poor State of Third-Party Risk Management in Law Firms
Global IT services provider Softtek’s new research report The State of Digital Third-Party Risk 2016 uncovers third-party security vulnerabilities, using methodical and statistical analysis from 2014 and 2015.
The researchers drew from a sample of 1,236 assessments that included a balance of small, midsize and large suppliers (over $50B in revenue).
One key finding: more than half of the vendors failed to pass key controls, indicating a high risk of data breaches that could result in material losses.
The report stresses that clients should be able to audit controls for minimum safety standards, as well as controls for categories where vulnerabilities could result in large business losses.
More financial institutions now subjecting their law firms to cybersecurity audits and requiring the use of secure browsers comes to mind. We have written about this trend in our whitepaper on How Law Firms Can Maximize Security While Granting Access to the Web.
The Softtek report supplies excellent insights and actionable advice for enterprise CIOs and CISOs looking to expand or redesign their supplier security program.
This overview enables them to get a quick grasp of the latest trends, without incurring up-front investments for large-scale risk assessment studies.
Especially law firms and organizations that rely on external legal services should take notice. The authors don’t mince words about the dismal state of IT security in the legal industry:
“This group fails to provide evidence of evaluation of information systems audit controls on a yearly basis, and they often fail to provide evidence of management of technical vulnerabilities.”
Read / download:
Softtek: The State of Digital Third-Party Risk 2016 [PDF]
Data Risk Denial in the Third-Party Ecosystem
The Ponemon Institute has examined Data Risk in the Third Party Ecosystem, and one finding of the resulting report is particularly stunning.
More than one-third of the surveyed companies "do not believe their primary third-party vendor would notify them if a data breach involving sensitive and confidential information occurred."
The study was commissioned by law firm BuckleySandler LLP and risk management consultants Treliant Risk Advisors. It includes responses from 598 individuals familiar with their organization's approach to managing data risks created through outsourcing.
Source: Data Risk in the Third Party Ecosystem (Ponemon Institute)
Above all, the study reveals a staggering lack of confidence in third-party suppliers data safeguards, security policies, and procedures.
Yet 60 percent of respondents also stated that their own companies still don’t monitor the security practices of third-party suppliers who have access to sensitive or confidential information.
If basic monitoring takes place, the study found, it is mostly to ensure the signing of contracts that require third parties to follow certain security and privacy practices (59 percent of respondents). Evaluations like an audit of the vendor’s actual security and privacy practices remain the exception (13 percent of respondents).
Given the significant share of associate/staff level respondents (35 percent, compared to 23 percent at Director level or above), the picture may not be entirely as bleak as the results suggest.
Many staff level employees are likely not familiar with their organization’s approach to managing third-party data risks. The report hints at this caveat in its “Sampling-frame bias” disclaimer.
Still, the prevailing attitude towards third-party cybersecurity risks as illustrated by this Ponemon report seems to be: “We don’t really know, and please don’t tell us. We don’t want to know.”
That may have passed muster a few years back. But today’s enterprise is facing a growing number of class action lawsuits over data breaches and compliance enforcement actions; we have blogged about it here.
In short, it’s “all hands on deck” season for law firms litigating data breaches in court and public opinion. Organizations who still feign ignorance in the face of the perfect third-party risk storm invite data breaches, loss of business, and lawsuits.
Read / download:
Ponemon Insitute: Data Risk in the Third-Party Ecosystem [PDF]
Introduction to Vendor Risk Management
BitSight Technologies, which provides data-driven security ratings for companies and their vendors, insureds and acquisition targets, has published A Security Manager’s Guide to Vendor Risk Management [PDF].
The overview includes questions to ask all vendors, actionable pointers for critical risk vectors and configurations, and a brief introduction into continuous risk monitoring software.
Particularly useful: a shortlist of four risk vectors and configurations to consider when onboarding a vendor.
#3 on that list, “Careless Online Employee Behavior,” got our attention. “Ideally, a third party should hold their employees to the same security standards you set at your company,” the manual recommends.
As an example, the guide suggests checking for any indications of risky online behavior on the vendor side: “Does a large percentage of their employee contact information show up in high-profile data breaches, like Ashley Madison or LinkedIn?”
Yes, such findings should raise a big red flag about the security practices of the vendor. As important as it is to assess a third party’s past security posture and employee behavior - what about nasty surprises that may happen in the future?
To minimize future risk, you should hold vendors to the same security standards as your own staff.
This means requiring and monitoring that the supplier’s employees and contractors who have access to your company’s sensitive data use a secure browser when they access the web, to prevent web-borne attacks from affecting your IT infrastructure.
Read / download:
BitSight Technologies: A Security Manager’s Guide to Vendor Risk Management [PDF]
At-a-Glance: IT Vendor Risk Management (Magic Quadrant)
Gartner “Magic Quadrants” offer visual snapshots, in-depth analyses and actionable advice that provide insights into a market’s direction, maturity, and participants.
According to Gartner, more than 55% of the enterprise’s IT budgets is now spent externally. By 2019, the demand for vendor security and related offerings could grow by 30%, analysts predict.
The IT market research firm included 12 vendors in its Magic Quadrant for IT Vendor Risk Management, which examines the growing niche of automated VRM solutions.
VRM tools enable the assessment, monitoring and remediation of risks that the enterprise faces when using IT vendors and IT service providers.
Included and rated by “Strengths” and “Cautions” were Allgress, Brinqa, EMC (RSA), LockPath, MetricStream, Modulo, Prevalent, Quantivate, RecoveryPlanner, RiskVision (formerly Agiliance), Rsam and SAI Global.
Among the market-driving trends mentioned by the analysts two stood out to us:
- “[I]ncreasing regulatory focus on third-party risks,” which means that business-as-usual is no longer an option.
- “[T]he intersection of IT and operational technology: the Internet of Things.” More plainly put: if stolen PII doesn’t have you worried, what about web-borne attacks executed via third-party code exploits in manufacturing machinery or power plants?
Sounds alarmist? It’s happening already. Authentic8 co-founder and CEO Scott Petry recently blogged about this worrisome trend here.
On the face of it, outsourcing third party risk management to, of all things, a third party IT Vendor “Risk Minder” may sound paradoxical, but it may well help save the hour.
Enterprises have failed to manage, minimize and mitigate third-party risks, as illustrated by a seemingly endless series of large-scale data breaches.
Just like the cloud can help make enterprise computing more secure, as emphasized by the IT security leaders who participated in our “Ransomware 2020” InfoSec Luminary Lineup, third-party IT vendor risk management solutions could be the shift needed to make VRM a reality in more organizations.
For the enterprise CIO or CISO and the team tasked with vendor evaluation, Gartner’s Magic Quadrant for IT Vendor Risk Management serves as a starting point and provides a comprehensive introduction to the matter.
Read / download:
Gartner: Magic Quadrant for IT Vendor Risk Management
PS: Did you find these short reviews helpful? Then you may be interested in the prior post in this series, Five Endpoint Security Resources Every IT Leader Should Know.
About the author: Gerd Meissner writes, edits, reviews and manages content at Authentic8.