Why third party cybersecurity matters

Many organizations that have long focused on building their own cybersecurity defenses have come to realize they’re vulnerable to a form of “friendly fire.” If an organization’s third-party vendors have inadequate or lax security controls, hackers can exploit these “trusted” associates and tunnel into systems and networks.

In recent years, 63 percent of breaches were traced to third-party vendors, according to the Soha System’s survey on third-party risk management. Witness a 2015 attack (discovered only in early 2016) of a large fast food restaurant chain. Through the login credentials of a third-party service provider, hackers were able to gain access to the point-of-sale system used by more than 1,000 franchise restaurants leading to the exposure of customers’ credit card information. Other recent high-profile breaches resulting from third-party compromises include large discount chain stores, pharmacies and medical centers.

On average, organizations spent $10 million responding to third-party breaches over the previous 12 months, according to a May 2016 Ponemon report. But organizational risk isn’t limited just to direct revenue loss. Reputational impacts, regulatory exposure and lawsuits can cause lasting damage and lead to job losses for executives, directors and others in the organization.

Gauging vendors’ risks

A deep understanding of the cybersecurity capabilities of your vendors and contractors is critical to protecting devices and data, counsels the AT&T Cybersecurity Insights report. Organizations can begin by requiring third parties to complete detailed questionnaires about their security practices, be open to security audits and even conduct penetration tests to help assess the strength of their cyberdefenses. How an organization then folds vendor assessments into its own security profile is determined by size:

Small or medium-size organizations: Request each vendor to provide a security assessment report that lists the security controls they have in place and the last time they performed a security review.

Large organizations: Include the risk assessment of all vendors in the organization’s master risk register.

For all organizations, security assessments should be ongoing. A variety of third-party monitoring services are available that can further help lessen your exposure to third-party-based breaches.

Strengthening your security profile

With an assessment of your vendors’ security capabilities in hand, you can move on to implementing a robust third-party management program. Best practices to include:

Third-party security management begins at the top. The CEO and boards of directors should be involved in overseeing strategy and ensuring employees are educated on vendor cybersecurity.

Not all vendors need the same level of access to your network. Determine their data needs and assign privilege levels that outline the type of access – least to high — based on their assessed risk profile.

The IoT and cloud require additional considerations. Understand the level of threat from third parties’ use of the IoT and cloud and implement strategies to reduce those risks.

Know your third parties’ details. Maintain a current register of each of your vendors that includes their contact information and the information they can access.

All organizations need to recognize that partners and other third party entities may be a weak link in their overall security regimes. But by taking the necessary precautions to keep hackers from exploiting trusted relationships, you can reduce your exposure to the vast majority of cyberattacks.

Carin Hughes is an editor of the AT&T Cybersecurity Insights reports.

Copyright © 2016 IDG Communications, Inc.