Third-Party Data Breaches: How Safe Is Your Organization?
Your data security is only as strong as the most vulnerable vendor that works with your organization’s data. Third-party vulnerabilities have led to some of the most debilitating cyber attacks in recent years, including Toyota, Volkswagen, Accellion, Comcast, Okta, Uber, and SolarWinds. The supply chain comprises of many integrated third parties like vendors, suppliers, contractors, and sub-contractors that require access to an organization’s sensitive information. A recent report from IBM showed that data breaches originating from third-party relationships lasted longer and cost the organization more than if they had been attacked directly. As a result, recent data privacy laws require you to report on your subprocessors, so we need to consider security two, three, and even four levels down.
As a former GRC program leader, vendor risk management was part of my daily work. All vendors that handled sensitive information, like employee and customer data, flowed into our vendor management program. I saw firsthand and continue to see how organizations manage their vendors through disconnected spreadsheets and poorly managed document repositories. When vendor management is a manual process, you risk having redundant suppliers, losing track of which vendors have access to sensitive information, and exposing your organization to the risk of third-party data breaches. In this article, I will share several best practices for managing the risk of data breaches with strong third-party risk management (TPRM).
Best Practice #1: Vet Your Potential Vendors
The most crucial practice in protecting your company from breaches in your supply chain is assessing data security and privacy practices in potential vendors early in the procurement process. The most common way to assess your vendors is by sending out questionnaires about how they handle access to critical and sensitive data. The questions should be tailored on the type and sensitivity of the data they will have access to. Assessing third parties before onboarding helps an organization understand the external security posture of a potential vendor and what cyber threats to expect.
Best Practice #2: Implement Role-Based Access and the Principle of Least-Privilege
Organizations must perform stringent evaluations of the security and privacy practices of parties who have access to their networks and data to ensure vendors only have the access necessary to carry out their responsibilities. Hackers and other malicious parties can exploit integrations between organizations and vendors to access the original organization’s data. Most organizations manage internal access to their critical systems with strategies like Role-Based Access and applying the Principle of Least-Privilege. Combined, you provide individuals with the minimum level of access to do their job based on a pre-defined scope for their roles. The same should be true for third-party access. When provisioning access to vendors, ensure that each department’s role already has a predefined set of roles and access specific to vendor access.
Best Practice #3: Keep an Inventory of Active Vendors
An article from Forbes points out that “most companies simply do not know the number of their suppliers.” Measuring vendor risk is impossible without an inventory of third-party relationships and the data they can access. Once you have an inventory of active/inactive vendors, you can create the data mappings to track what they can access, and you can remove access once a vendor becomes inactive. Keeping a running list of vendors and data mappings would be a daunting manual task, so you may need to consider a Third-party Risk Management (TPRM) solution that integrates with your procurement systems to track when vendors are added and terminated.
Best Practice #4: Continuous Monitoring for Vendors
Organizations should monitor vendors for updates to their SOC reports, pen test results, vulnerability assessments, and other information security and compliance reports. Higher-risk vendors may need more frequent updates, such as on a biannual basis. A TPRM solution for automation to send security questionnaires to vendors to provide updated reports, additional security requirements, or if they’ve been acquired since the last assessment. Keeping a vendor’s current risk profile will help keep your organization informed about the increased risk in their security and privacy controls.
Now Is the Time to Act
Mitchell Nazarov, M.S., CDPSE, works on AuditBoard’s implementation team specializing in compliance. Prior to joining AuditBoard, Mitchell spent 5+ years scaling up GRC programs, vulnerability management teams and leading information security and compliance audits in the application security and healthcare industries. Mitchell specializes in cybersecurity audits, NIST frameworks, SOC 2, enterprise risk management, and software implementations. Connect with Mitchell on LinkedIn.