Blog
Third-Party Risks to Consider—and Manage
Acceptable business risks must be managed, and none more so than those associated with external vendors who often have intimate access to infrastructure or business data. As we’ve seen with numerous breaches where attackers were able to leverage a weakness in a contractor or service provider, third-party risk must be assessed and mitigated during the early stages of such a partnership, as well as throughout the relationship.
By Josh Lefkowitz
Acceptable business risks must be managed, and none more so than those associated with external vendors who often have intimate access to infrastructure or business data. As we’ve seen with numerous breaches where attackers were able to leverage a weakness in a contractor or service provider, third-party risk must be assessed and mitigated during the early stages of such a partnership, as well as throughout the relationship.
The following tips can help security decision makers more effectively address the risks posed by relationships with technology vendors:
Do Your Homework
Conducting thorough due diligence on a prospective vendor is essential. Organizations could evaluate technical and regulatory risk through due diligence questionnaires, for example, or even on-site visits if necessary. The point is to evaluate not only a third party’s information security risk, but compliance with regulations such as GDPR for privacy and PCI-DSS for payment card security, for example. An organization may also want to evaluate a third party’s adherence to industry standards such as NIST or ISO in certain security- and privacy-related areas.
Next, consider what this compliance information doesn’t tell you. What do you still need to learn about the vendor’s security posture before deciding whether you’re comfortable with it? Think about what questions you still have and, if possible, seek answers from the vendor’s appropriate security contact. Here are some questions to pose:
• When was your last penetration test? Is your remediation on schedule?
• Have you documented security incidents? How did you remediate those incidents?
• Do you have the result of your last business continuity test? If yes, can you share it?
• What security controls exist for your users? Do they use multifactor authentication, etc.?
• How are you maturing your security program?
• Are you ISO, SOC 1/SOC 2, and NIST Compliant, and is there documentation to support this?
Additional Security: It’s All in the Controls
If you’re unsatisfied with the answers from a potential partner regarding their security, it’s OK to walk away, especially if you make the determination that working with the vendor may not be critical to your business.
That’s not always the case, however. If you must partner with a particular third party and if no other reputable vendors offer anything comparable, you will likely need to implement additional technical and/or policy controls to mitigate the security risks associated with your business’s use of the offering, such as:
Technical: These are typically restrictions on the access and/or technical integrations of vendor offerings. For example, if a product is web-based but unencrypted, consider blocking users on your network from accessing its website; provided the proper authentication is in place, use its API instead. In most cases, there are two options, remediation or compensating controls:
• Remediation: Can you work with the vendor to remediate the technical risk?
• Compensating controls: If you cannot remediate the risks entirely, can you establish technical compensating controls to minimize or deflect the risk?
Policy: These are policies that users of the offering should follow, such as limits on the types and amounts of data that can be input securely. Some typical policy scenarios include include:
• Regulatory compliance: For example, a vendor’s non-compliance could mandate you walk away from a third-party relationship.
• Contractual obligations: Are there contractual obligations in place with your existing clients that prevent you from working vendors who don’t meet certain security and privacy standards?
• Security best practices: Ensure your policies around risk are enforced and determine whether they may conflict with your vendors’ policies.
Asset Inventory a Must
There are several reasons why it’s imperative to know which of your business’s assets the vendor will be able to store and/or access. For one, this knowledge can help identify and shape any additional security controls. Second, having this knowledge on hand is crucial should the vendor suffer a breach. Knowing exactly what assets were impacted, as well as who is doing what with your inventory, can expedite your response and identify and mitigate any exposure efficiently and effectively.
Response Plans Must Include Partners
Before finalizing a vendor relationship, it’s crucial to use all the information gathered during your due diligence process to construct a response plan in preparation for any future incidents the vendor might experience. Tracking the assets to which your vendor has access is one component of an effective response plan. Others include courses of action to mitigate exposure, disclosure and notification procedures, external communications strategies, and plans to re-evaluate the vendor’s security and remediations following an incident.
The most effective way to manage vendor risk is not to work with any external vendors in the first place, which isn’t a feasible strategy. The most secure and successful vendor relationships are rooted in preparation and transparency. Thoroughly understanding all facets of a vendor’s security program, implementing additional controls as needed to appropriately safeguard your business’s assets, and being prepared to respond to future incidents can go a long way toward reducing business risks associated with any vendor relationship.