From enterprise-sized organizations down to one-person professional firms, critical business information is frequently handled by third-party service providers.
Suppliers and vendors are routinely given access to their customers’ most sensitive systems and data. And just as routinely, this results in massive data breaches.
How can your organization improve security to minimize the risk introduced by third-party suppliers?
Most companies learn about vulnerabilities when it’s too late - after a data breach. 37 percent of the U.S. companies who responded to a recent survey by Ponemon Institute believed their main third party vendors would not inform them in case of a serious data breach.
Companies are depending on IT consultants, accounting and payroll professionals, HR consultants, recruiters and other professional service providers to get the job done and to maintain a competitive edge.
69 percent of the companies responding to Bomgar’s 2016 Vendor Vulnerability survey reported definitely or possibly suffering a security breach from vendor access to their IT infrastructure in the past year.
“The path of least resistance into many organizations is through a third party that has been granted direct access to their environment.”
Notably, 32 percent of professionals involved in third party management don't evaluate third parties before engaging with them, as the Third Party Risk Management Benchmark Report by compliance software provider Navex Global revealed.
In light of these facts, it probably won’t surprise you that once the decision to enter into a business relationship has been made, external vendors face even less scrutiny from their new customers’ IT security professionals.
It’s easy to see why many companies have kicked the can down the road for so long. Before the recent wave of massive data breaches, significant damages to the brand after a catastrophic data breach were a rare exception.
This has changed. Now, they are the rule.
Just ask T-Mobile. Experian is one of its financial services providers. The irony here is that Experian also offers IT security services. This detail didn’t prevent crooks from breaking into an Experian server that housed sensitive data for its customer T-Mobile. Between 2013 and 2015, Social Security numbers and other personally identifiable information (PII) of more than 15 million T-Mobile users were compromised.
From 2012 to 2015, a state-sponsored attacker believed to be from China was able to infiltrate the servers of the Office of Personnel Management (OPM), using credentials stolen from an external OPM contractor.
The attack has now been documented in damning details in this report by the House’s Oversight Committee [PDF]. (Authentic8 still provides free use of Silo, the most secure browser available, for victims of the OPM breach.)
Major consumer brands have lost the trust of customers as a consequence of large-scale data breaches that were facilitated by security weaknesses in their supply chain. A prime example is Target, where 110 million credit and debit card records were compromised.
The attackers found their way into Target’s network by targeting a refrigeration contractor whose login credentials they obtained. Through a targeted phishing email, they planted Citadel spyware, a variant of the Zeus banking Trojan, on the contractor’s computers.
Healthcare providers have been especially hard hit. According to a report published earlier this year, half of the organizations surveyed by Ponemon Institute suffered data breaches caused by vendor business associates.
Now the industry is facing a growing number of class action lawsuits and record-breaking Health Insurance Portability and Accountability Act (HIPAA) enforcement actions.
Litigating data breaches and privacy violations - in court and public opinion - has become big business for law firms. When something goes wrong because one of your vendors messed up, it’s your organization that will likely be held accountable, by your customers, business partners, and by their lawyers.
How to Reduce the Risk of Third-Party Data Breaches?
Organizations of all sizes can take preventive measures when using third-party resources, to minimize the risks of a potentially crippling data breach.
Vendors that could compromise your company’s data include
- external IT contractors, who may maintain your computing infrastructure, email server or in-house database, on-site or remotely
- temporary workers and contractors sent in by staffing agencies and often tasked with processing extremely sensitive transactions
- outsourced services - payroll, the company’s law or accounting firm, external recruiters and HR consultants - accountants and auditors have access to sensitive files and directories; recruiters may email or upload malware-infected resumes to HR or the hiring manager
- press release distribution services - if leaked prematurely, corporate news releases of a publicly traded company can send its stock value into a tailspin.
While privileged access by outsiders to such data may only be temporary (from upload time to actual release date), a data breach can still result in irreparable damage.
U.S.-based stock traders and Ukrainian cyber criminals reportedly bagged $100 million in illegal profits from manipulating the stock market, after stealing not-yet-published news releases from leading U.S. corporations.
Removing the attack surface that third parties would use
One troubling fact that emerged from most of the cases mentioned earlier: the same companies that mandate background checks for their employees often skip necessary due diligence when it comes to vetting vendors before giving them access to their systems or data.
Is your company holding outsiders to the same - or even higher - level of scrutiny as your own employees? As a first step, check your suppliers’ cybersecurity credentials and policies. Then make information security requirements and obligations part of your organization’s written agreements with all third-party vendors.
For a more detailed overview of vendor management best practices, I recommend this post on the BitSight Technologies blog: 12 IT Vendor Management Best Practices That Will Prevent Embarrassing Headlines.
Contractual clauses should clarify the obligations of the vendor following any data breach that could affect your business. But they cannot protect you against the breach itself.
That’s why information security management needs to focus on what your company can control, by shielding its own IT perimeter from vendor-induced threats.
This can be accomplished by minimizing the attack surface and shifting it away from your organization:
What IT security leaders in banking can teach us about reducing third-party cybersecurity risks
Wall Street banks and financial service providers command billion-dollar cybersecurity budgets. Yet even companies with a much smaller budget can take one of the most important precautions on the checklist of major players in the banking industry.
To insulate their operations from cybersecurity vulnerabilities typically introduced by external partners, they’ve established a secure browsing environment when employees access the web.
Leading banks are now even mandating the same for their business partners, like law firms (more about this in our whitepaper IT vs. Users? How Law Firms Can maximize Security While Granting Access to the Web).
You should follow their lead, and here’s why: Regular browsers download and execute web code on the local computer, which makes them the primary gateway for attacks originating from your company’s contractors or suppliers when employees connect with them on the web.
Tip: Check out 5 Vendor Risk Reports Every IT Leader Should Read on this blog!
Rather than deal with this risk on their own infrastructure, security-conscious organizations turn to Authentic8's patented browser isolation technology, as a way to shift the attack surface away from their environment to a secure, disposable infrastructure.
Silo renders all web content in a secure container in the cloud, outside the corporate network. Only display information is delivered back to the user's device, using an encrypted connection. At the end of each session, the Silo instance in the cloud self-destructs - leaving no residue on the user's device.
A secure browser to remove vendor risks
Silo’s intuitive administrator console empowers admins to centrally manage robust access, data and use policies and credentials. They can provide and terminate access to network resources from devices as well as set data location policies.
When provisioning access to a company cloud account to a third party, admins can set the access credentials within Silo, then conveniently revoke them at the end of a project or when switching suppliers.
For example, a law firm could grant selective access to file directories, online libraries and printers to an outside team of document reviewers. Once the project is completed, all related accounts are switched off, to further reduce the common risk of third-party data breaches due to “forgotten” accounts.
One main reason IT managers have been slow in vendor-proofing the enterprise: the lack of mechanisms to easily track the activities of onsite and offsite contractors when they access corporate resources.
In the words of Matt Dircks, CEO of Bomgar: “[T]here’s a high level of trust in third-party vendors, but very little visibility or control over what they’re doing when connected to the company’s network.”
Silo solves this problem by logging all user and administrator activities within the virtual browser. Your business can use this log (which is protected with an encryption key that you control) to track vendor activities on your network and their progress while working with your resources.
Yes, vendor relationships require mutual trust to be successful. But to protect your business against vendor vulnerabilities, it also helps to keep a Russian proverb in mind that was a favorite of both Vladimir Lenin and Ronald Reagan:
"Doveryai, no proveryai" - "trust, but verify.”
Get started - try Silo for free: https://www.authentic8.com/intro