People assessing a cyber security situation for risk.

Are Your Third-Party Vendors Putting You at Risk?

In Cyber Security Strategy, Risk and Compliance by Ryan Clancy

The past few years have given us not only a staggering amount of Marvel movies, but eye-wateringly expensive data breaches. Some of the most costly and devastating breaches occurred as a result of cyber criminals taking advantage of security weaknesses in third-party vendors. So, are your third-party vendors putting you at risk? Even a single vendor with sloppy security practices can do an impressive amount of damage to your bottom line and reputation. Don’t believe me? Let’s look at the evidence from 2018.

SMBs at Biggest Risk for Breaches, But Enterprises Hit Too

A 2018 report from Kaspersky shows that for small and medium-sized businesses (SMBs), average breach costs rose 36 percent from the previous year, to $120,000, and breaches affecting third-party IT infrastructure were up to $179,000. This isn’t just a SMB problem; businesses of all sizes have been affected by third-party breaches. Ticketmaster international experienced a breach impacting 40,000 individuals that was traced back to malicious software on a third-party system. Those tickets you purchased to the World Competitive Jazz Dancing Extravaganza might have wound up costing more than you thought.

Vevo, a joint venture by Universal Music Group, Sony Music, and Alphabet, had 3.12TB of internal documents exfiltrated from a cloud data storage provider. The access credentials were exposed by a contractor. While some of the lost files were benign, such as the Minions singing a knee-slapping rendition of, “You’re So Vain,” there were quite a few sensitive documents leaked – including the company’s Amazon Web Services (AWS) secret keys, door alarm codes, and root passwords.

If you’ve enjoyed riblets and a mudslide recently, your belt might not be the only accessory in your life feeling the pressure. Applebee’s discovered that third-party point of sale systems at more than 160 locations were laden with malware. The number of exposed records is still unknown at this time. Also still unknown: what exactly is a riblet?

Taking Steps to Protect Your Organization

So, what can your organization do about this problem so you don't become the next victim? Many companies are setting up supplier or third-party risk management programs to prevent this problem. While that might sound like a doozie, the best place to begin is by identifying and categorizing your suppliers.

A critical question to get the process started is: what type of services do your vendors provide? The more critical the service the third-party supplier is providing, the more risk is involved. What types of data does this supplier transmit, store, handle, or process for your organization? Do they have credit card data? Pictures of dogs with hats on? Tax information? If you don’t think you use third-party suppliers, consider who performs your waste disposal, shredding services, or off-site backups.

The most straight forward way companies evaluate their vendors is with a questionnaire or survey. This survey might include questions like:

  • Do you perform background checks on all employees who have access to our data or facilities?
  • Are you encrypting all our data at rest, and if so, with what method or algorithm?
  • What is your documented backup plan for our data?

These surveys are usually filled out by the vendor via an online form or document sent via email, then returned to your organization’s IT, security, or compliance team for review.

Key Takeaways

All the answers the supplier provides must be viewed through the lens of risk and what type of data the third-party supplier handles, stores, or transmits. If the vendor collects payment, personally identifiable information (PII), or other sensitive information, you should scrutinize the survey questions relating to confidentiality and integrity more closely.

If your organization is concerned with availability, more weight should be given to questions concerning data backups, change control, and environmental concerns. Ultimately, each supplier should be given some kind of a risk rating on a scale pre-determined by your organization. Scales can be simple such as “Low – Medium – High,” or you could get creative, and use something like “Good – Sorta - Yikes!”

Next Steps

After you’ve evaluated your suppliers and given each a risk rating, make sure to periodically monitor them. The period of review or reassessment can be based on the vendor’s risk profile. For instance, if a vendor stores and processes highly sensitive legal documents that your organization needs available 24/7 with minimal downtime, it may be worth it to reevaluate that supplier each year. That re-evaluation might even warrant an onsite visit depending on the circumstances, your budget, and whether the vendor’s office is located in a destination you’ve been dying to visit <wink wink>.

Summary

If this process sounds like a lot of work, you’re right, it is. Like all risk management ventures, it will take buy in from top management. But, you should know that you’re not alone when it comes to setting up your cyber security risk assessment program. Companies like Delta Risk have the expertise to climb the mountain with you, and can provide the guidance and expert consultants you need.

Do you need to assess your third-party vendors? Learn more about our services.