Most have heard about the 2013 Target Data Breach. You know, the one that exposed the payment card data of over 40 million customers, resulted in the CEO resigning, and cost Target $252 million. Well did you know that the initial data breach leveraged credentials stolen from there Heating and Air Conditioning vendor? Of course there were many controls absent and things that could have prevented this, but it demonstrates the fact that your security program is only as secure as your weakest link. As such, it is vital that you evaluate the risk of third party vendors.
Unfortunately, even highly regulated industries like the financial sector are failing to adequately assess the risk of third party vendors. A 2015 survey conducted by the New York Department of Financial Services found that one third of banks do not require third parties to notify them of data breaches or other cyber intrusions. Further, less than half of them perform on-site risk assessments. Recently, to help address this risk, the NYDFS released new cybersecurity regulations.
At this point, it is obvious why we need to evaluate the risk of third party vendors and that we are doing a bad job of it. So how should we approach this problem?
Triage Before Assessing Vendors
Before subjecting your vendors to a comprehensive security evaluation, it’s a good idea to determine if it is worth it. There is no reason to subject the vendor who fills your soda machine to a penetration test because they’re not accessing/storing any of your sensitive data. The first step to evaluating the risk of third party vendors is to evaluate what information they can access. How critical is that information? Keep in mind that this includes not only the data they routinely access as part of their job, but if their account is compromised, are you segmented enough to prevent them from accessing other areas?
Once you better understand the risk, determine several levels of assessments based on this risk. For vendors with the most access, they should have the most in-depth assessment. This should include asking for copies of annual penetration testing, performing on-site evaluations of their security, requiring background checks, etc. For vendors with no access, then this process should be much quicker to have less of an impact on business processes.
Determine the Compliance Requirements in Play
If one of your third party vendors faces a data breach, your organization could ultimately be responsible if you fail to perform due diligence in assessing their security. If the vendor has access to protected data, such as controlled defense information (DFARS), payment card data (PCI), privacy data (GDPR), or electronic personal health information (HIPAA), then you must ensure they are meeting regulatory requirements. This will vary depending on the requirement, but may include asking for their attestation of compliance, a certification letter, or results of recent audits or security testing.
Utilize a Vendor Self Assessment Questionnaire
As part of your due-diligence process, you should require vendors to fill out a self assessment questionnaire. Depending on the risk determined in your triage phase, this can vary from requiring an on-site assessment, to asking for validation, to simply taking their word for it. There are many third-parties who can assist you in managing this process or you can choose to handle it in-house. Make sure this vendor self assessment questionnaire is based on an industry recognized standard. Some standards to consider are the Center for Internet Security’s (CIS) Top 20 Critical Security Controls, NIST SP 800-171, or the Vendor Security Alliance Questionnaire (VSAQ). I would caution against making your own self-assessment questionnaire, as critical controls can be easily missed.
Continuously Monitor the Risk of Third Party Vendors
Finally, it is not enough to do a one-time assessment and assume they are keeping their i’s dotted and t’s crossed from year to year. Just like your organization’s security will slip if not tended to, your vendor’s security will slip if not tended to. As such, at least annually you should re-address their security posture, ensure they are maintaining their compliance, and evaluate the risk they pose.