• United States




Do third-party vendors have a bullseye on their backs?

Jun 20, 20167 mins
CybercrimeData and Information SecurityData Breach

Third parties can be a security team’s best friend or worst enemy

Because there are so many different kinds of third parties, identifying whether they do or don’t have the right infrastructure or security protocols can be a challenge. Moreover, doing the proper due diligence needed to vet third-party vendors can be costly and time consuming.

As so many organizations rely on a variety of different providers, third parties can become the gateways to the network. In order to mitigate the risk of a breach from a third party, enterprises need to design a vetting process and understand the language of the service-level agreement in order to best evaluate their contracts.

[ ALSO ON CSO: How to achieve better third-party security: Let us count the ways ]

Yong-Gon Chon, CEO of Cyber Risk Management said, “There isn’t a single cloud service provider that offers SLA for security. Uptime, visibility, yes, but there is no equivalent for security. Most say we have this amount of response time for this kind of data breach, or we will notify you in this amount of time if we find this kind of vulnerability.”

The issue, said Chon, is that security is invisible. “It only becomes tangible when things go wrong.” If enterprises know what they stand to lose when things go wrong, they can make security more tangible before it becomes an issue.

“They need to have a handle around what their most valued data assets are within their business,” said Chon.

Asking questions like, ‘What would happen if that information were breached, stolen, or ransomed out of the organization? What do users have access to? and What can they copy or delete?will give enterprises a clear understanding of how that information flows inside and outside of the organization. “They need a road map to say this is what we should and should not trust with our third parties,” said Chon.

When many organizations are looking to move out to the cloud, there isn’t a full appreciation for what the provider will give them up to and including what security they are providing. Chon said, “They need to understand to whom they are providing access, and they need to be aware of the rules and regulations that govern that.”

There is a dividing line between those third parties that pose greater risk and those that provide a greater level of assurance. That line is the safeguards and policies that the third parties have achieved.

“There are what I would call minimum level of safeguards. Following a risk management framework provides some level of assurance that they have achieved a bar, that they have the right policies, and that they are training their people. There is awareness and an ability to protect their data and they have some certification or validation of those controls,” Chon said.

The organizations that are really leading the way are the ones in heavily regulated environments, said Chon, but the other industries don’t have that same regulatory environment that requires strong oversight of third parties. As a result, these organizations in other sectors are looking to emphasize how to trust their third-party providers.

Vendors, then, want to be able to highlight their position as trusted industry leaders. If security isn’t embedded at the outset, are vendors really focused on designing trustworthy systems?

Edna Conway, chief security officer for Cisco’s Global Value Chain, said there are a number of things to think about in designing architecture from an end-to-end perspective. “What is in my value chain? is a question that will drive design and development, planning, sourcing mode, quality, delivery, sustainability, and end of life,” Conway said.

Service providers need to think in a layered approach because security is a journey and a commitment because, Conway said, “Most offerings are an ecosystem of cloud providers likely using two, three, five, or 12 other companies to bring these capabilities into being.”

The shift to third-party vendors doesn’t change the threat landscapes that make all enterprises vulnerable to being manipulated by an outsider who gains unauthorized control over their network. Understanding the risks posed by malicious actors from industrial and nation states that can cause physical or digital disruption and far greater damage, it is incumbent upon the service providers to optimize and deploy a sufficient business model, said Conway.

“A clear architecture converges all on the same domain areas which include security domains, governance security, security in operations and asset management, security in incident management, security in service management, security in logistics and storage, security in the physical environment, and personnel security,” Conway said.

Even for those providers that are thinking in this layered and values-based approach, the personnel security will continue to be a weak link to security. For many employees, the road to breached hell is paved with good intentions. Alastair Paterson, CEO and co-founder at Digital Shadows, pointed out that many breaches are the result of human error.

When it comes to some services, there are so many different aspects of corporate data that are not tracked by the corporation that they don’t even know what is out there. “You can have contractors in working on any service you are contracting out for, and that causes a bit of a risk,” said Paterson.

“A lot of what we see is inadvertent and accidental,” Paterson said. He recounted an incident involving a big label bank, which many assume would have good security, that was using a third party to install a new ATM network. “It turned out that a contractor working at the supplier with the winning bid had backed up his whole laptop without realizing it, which made public all of the private information he had about the bank,” Paterson said.

Larger enterprises that rely upon upwards of 20,000 service suppliers are challenged with keeping track of what is ending up where. “It’s not just about supply chain, though,” said Paterson. “It’s more and more cloud services. There is more being held outside the boundaries, and the enterprise is losing control of where their information is being stored.”

For those who appreciate these concerns about losing control of where their information is stored, Paterson said, “It’s right to embrace all these new technologies and continue to outsource, but you need to look at the vendors and assess their security and check the data that is getting out. That’s a new piece in a security program.”

Designing a vetting process for third party vendors

Conway said that most large providers will not take responsibility for a breach in their contract, but there are important questions enterprises should ask when doing their due diligence and choosing their outside providers. 

“Ask who else are you using? Where else will my data go? Will that other service provide the security I expect?‘,” Conway said, but the enterprise always has to be aware of what they put in the cloud. “Contracts shift risk but they do not employ security,” Conway said.

James Christiansen, vice president of information risk management at Optiv, said, “There is no one size fits all when it comes to third parties, but enterprises have the ability to define the amount of risk they have and match it to the amount of due diligence to that risk.”

What enterprises should be looking for is the maturity of the vendor’s security practices, but they also need to communicate their expectations to the vendor. Christiansen said, “Security language is needed in the contract to hold them accountable, and we do see instances where the appropriate controls are not communicated and the right level of expectation is not given to that provider.”


Kacy Zurkus is a freelance writer for CSO and has contributed to several other publications including The Parallax, and K12 Tech Decisions. She covers a variety of security and risk topics as well as technology in education, privacy and dating. She has also self-published a memoir, Finding My Way Home: A Memoir about Life, Love, and Family under the pseudonym "C.K. O'Neil."

Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). Recently, The University of Southern California invited Zurkus to give a guest lecture on social engineering.

The opinions expressed in this blog are those of Kacy Zurkus and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author