Third-Party: The Latent Threat Often Overlooked
Many businesses outsource portions of their operations to third-party companies, either by not having capacity in-house or by wanting the best of what the market can provide, or whatever other reasons. Those organisations have some level of internal security maturity, specially to comply with industry’s standards or required regulations such as PCI DSS for the Card Payment industry, but does the same strict policies and controls also applies for third-parties? Looks like that is not the case for roughly half of the companies out there.
The Ponemon Institute recently released a report in partnership with the security company SecureLink showcasing astonishing results regarding to third-party management. Amongst the juicy findings there is the fact that more than half (51%) of the respondents say that third-parties are being insufficiently assessed or not assessed at all.
“Over half of respondents (51%) say their organizations are not assessing the security and privacy practices of all third parties before granting them access to sensitive and confidential information.”
It is not hard to find security breaches in the news these days. Googling around, many recent ones can be found and looking at the details most of them are related in some way with third-parties and outsourced operations, much like the SolarWinds hack. Here is one example:
As cyberattacks get more and more sophisticated, and with financial gains or state sponsored objectives, attacking the vendor or third-party started proving to be more lucrative, multiple potential targets with just one compromise. The unveiled findings from Ponemon’s report helped putting this often overlooked part of the Information Security under the spotlight, showing the aggravating issue with poor third-party management materialising as one of the weakest points of an organisation’s security posture.
One key takeaway of the report is that many organisations do not view a vendor or third-party as a threat, often relying solely on the third-party’s reputation and contracts where they are bond to adhere to the security practices, and in cases where they do consider as a threat it is hardly a priority, not properly evaluating the current maturity of the security and privacy practices.
There is no problem in defining security requirements in contract or opting for the most prominent vendor or service provider in the field, but none of that exempts the need of the organisation’s own risk and vendor assessments.
Any company is prone to cyberattacks nowadays but doing your due diligence evaluating what level of security and privacy practices you expect from other business coming to work with you definitely reduce the likelihood of being in one of the next headlines under the security section of the news websites. If despite all that a breach happens, plenty evidence exists to identify when and where things got wrong to address.
How this can be improved?
Third-Party Risk Management (TPRM) must be a fundamental process for organisations looking for hiring another business. This process if well implemented can take care of the third-party lifecycle management and also check some boxes (or at least help not breaching them) with regulations such as HIPAA or GDPR.
Following the steps from this blog post and the Ponemon’s report extra actions can be taken in order to improve upon the current security posture and the TPRM:
- During the selection phase of any new project or engagement, evaluate all aspects of the security and privacy posture of the third-party including, but not limited to, their underlying infrastructure, network security, processes, etc. Do not rely only on reputation, fancy badges and bold statements on the website, or contractual obligation.
- When defined the desired third-party, work in conjunction with them to assess their current maturity. This could be done with risk assessment processes, evidence-based questionnaires, overview of solutions or products or evidence of compliance (ISO 27000, SOC 2, etc). For cloud based services and products you can refer to the Cloud Security Alliance’s (CSA) Consensus Assessment Initiative Questionnaire (CAIQ) with a list of great questions that could be asked to the third party in order to gauge their security maturity, or a simpler version with the UpGuard’s Vendor Risk Assessment Questionnaire Template.
- During the engagement, control and closely monitor the activities performed by the third-party, probably the organisation already has policies for identity and access management and monitoring that could be leveraged, applying the same set of access controls to third-parties as to the internal employees.
- Still on access management and permissions, be aware of what assets and information the third-party will be granted. Keep it as close as possible to the Least Privileged principle, only giving access to what is necessary in order to conduct their work. Pulling more statistics from the report to illustrate this point: “65% of the respondents have not identified the third parties with access to the most sensitive data of the organisation”, and “74% of respondents say it was the result of giving too much privileged access to third parties” (referring to breaches in the last 12 months)
- If you do not want to do all those tasks or do not have the capacity to do it, there are services and products out there for third-party assessment like OneTrust (but who assesses the assessors? :D )
The demand for specialists in the varied landscape of modern and emerging technologies is enormous and there is not enough supply to match. Having third-parties helping deliver the business goals definitely allows the organisations to grow faster, however velocity cannot be the only variable, as detailed this link is one of the weakest in the chain, posing serious risks to all kinds and sizes of business. You should treat your partner’s attack surface as your own and work closely with them to keep it under control.
