• United States




Third-party vendors — your weakest link?

Aug 23, 20165 mins
IT LeadershipSecurity

third party threats
Credit: Thinkstock

Some of you may remember the TV game show The Weakest Link, during which a somewhat caustic Anne Robinson would declare one of the nine contestants the weakest link, and summarily kick them off the program.

Now, imagine Anne taking a job as an information security consultant, reviewing security and risk for a medium-sized corporation. I suspect that as she got to the portion of the review involving third-party suppliers, she would quickly yell out “You are the weakest link. Goodbye.”

I have worked with a variety of organizations that, as mandated by HIPAA, PCI, or other standards, must assess the risks of their third-party providers. I have written or reviewed more of these than I could count off hand. As such, I can confirm that they are often the easiest approach to breaching the security of a company. I have reviewed a number of providers with reasonable security and risk management programs of their own, but more often I have found their programs to be weak, or even laughable.

In fact, the running joke among risk assessors is that they end up being consultants for the third parties they review. Invariably, after getting dinged for a number of exposures, the providers will ask what they could do to resolve a particular finding. The assessor ends up being a valuable member of the third party’s risk team, by telling them how to fix the issue.

I don’t want to be too hard on the third parties. After all, the risk posed by outside vendors only hit everyone’s radar quite recently. According to the folks at the Southern Fried Security Podcast, the focus on third-party risk began as a result of the Target breach. As you may recall, hackers penetrated the Target network using credentials belonging to an HVAC vendor. The hack resulted in the loss of data on 40 million credit and debit cards. Quite suddenly, the corporate world woke up and realized that their vendors could be a major exposure.

In my experience, too many organizations still don’t pay close attention to their third parties. According to an article by Evantix, of 450 breaches investigated in 2013, a staggering 63% involved a third party. Experian, in their 2015 Data Breach Industry Forecast, made the case well, saying “As more companies adopt interconnected systems and products, cyber attacks will likely increase via data accessed from third-party vendors.” The same report expresses concern about the growth of a different sort of third party exposure — Internet of Things devices, a risk that the business world is just now beginning to face.

While the lack of appropriate security precautions and risk management processes are very common among small vendors, the big guys have lapses too. In late 2015, Hartford Hospital shared a $90K HIPAA-related fine with tech giant EMC, because of their failure to safeguard customer data on laptops.

As breaches get more frequent, it is probable that fines will increase as well, especially with a growing body of regulators paying close attention to security problems. Since third parties are often a company’s weakest link, it is important to address this risk appropriately. Here are some practical suggestions:

The C-Suite must set the direction

Corporate leadership must make third-party risk management a priority for it to be successful. Such a program requires resources, and often involves delays in the purchase of products and services while the related risk is assessed. Without strong support from the C-Suite, managers will simply ignore third-party risk, and just buy whatever they want whenever they get in a hurry.

Have a structured program

Third-party oversight should begin with a structured  program, with proper documentation and procedures. The program must be an ongoing effort, rather than a one-time review. This should include complete analysis of each vendor BEFORE a contract is signed. For ideas on how to structure such a system, I would suggest that you review “Third-party risk management — not just papering the file.”

Oversight must apply to all vendors, large or small

The risks posed by a small vendor cannot be ignored, even if the exposure is also small. It is easy to overlook a small vendor performing a relatively minor service. Despite their small footprint, the risk is real. On the other hand, it can never be assumed that the big guys will do it right, as evidenced by the EMC case noted above.

Make the criteria match the vendor

In a perfect world, the same risk management standards could be applied to  all vendors. Practically, however, we cannot hold a vendor with 10 employees to the same standards that would apply to a major corporation. While all vendor risk must be evaluated and considered, we must accept the fact that a small company cannot stay in business with a security budget that exceeds their income.

Consider the level of exposure posed by each vendor

While the company that empties your trash cans certainly poses some risk, they are not in the same category as one that has access to your network and data. The level of attention you apply to each must be commensurate with their risk.

Document everything

Your actual control over a vendor’s security and risk practices is somewhat limited. Ultimately, if there is an incident, you will be judged largely based on the quality and completeness of your oversight effort. It is important that you document all aspects of your efforts, to demonstrate that you did everything reasonably possible to protect your business.

Feel free to walk away

If you find a vendor that is not meeting your standards, either during the initial review, or a yearly update, you must not hesitate to seek another vendor. The value provided by any given vendor must be balanced against the risk they pose.

Bottom line — unmanaged third parties can pose a risk to your company that is even greater than that posed by your own internal security issues. Bad actors know this as well, and they will exploit this opening unless you step up and manage the risk.


Robert C. Covington, the "Go To Guy" for small and medium business security and compliance, is the founder and president of Mr. Covington has B.S. in Computer Science from the University of Miami, with over 30 years of experience in the technology sector, much of it at the senior management level. His functional experience includes major technology implementations, small and large-scale telecom implementation and support, and operations management, with emphasis on high-volume, mission critical environments. His expertise includes compliance, risk management, disaster recovery, information security and IT governance.

Mr. Covington began his Atlanta career with Digital Communications Associates (DCA), a large hardware/software manufacturer, in 1984. He worked at DCA for over 10 years, rising to the position of Director of MIS Operations. He managed the operation of a large 24x7 production data center, as well as the company’s product development data center and centralized test lab.

Mr. Covington also served as the Director of Information Technology for Innotrac, which was at the time one of the fastest growing companies in Atlanta, specializing in product fulfillment. Mr. Covington managed the IT function during a period when it grew from 5 employees to 55, and oversaw a complete replacement of the company’s systems, and the implementation of a world-class call center operation in less than 60 days.

Later, Mr. Covington was the Vice President of Information Systems for Teletrack, a national credit bureau, where he was responsible for information systems and operations, managing the replacement of the company’s complete software and database platform, and the addition of a redundant data center. Under Mr. Covington, the systems and related operations achieved SAS 70 Type II status, and received a high audit rating from the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency.

Mr. Covington also served as Director of Information Technology at PowerPlan, a software company providing software for asset-intensive industries such as utilities and mining concerns, and integrating with ERP systems including SAP, Oracle Financials, and Lawson. During his tenure, he redesigned PowerPlan's IT infrastructure using a local/cloud hybrid model, implemented IT governance based on ITIT and COBIT, and managed the development of a new corporate headquarters.

Most recently, Mr. Covington, concerned about the growing risks facing small and medium business, and their lack of access to an experienced CIO, formed togoCIO, an organization focused on providing simple and affordable risk management and information security services.

Mr. Covington currently serves on the board of Act Together Ministries, a non-profit organization focused on helping disadvantaged children, and helping to strengthen families. He also leads technical ministries at ChristChurch Presbyterian. In his spare time, he enjoys hiking and biking.

The opinions expressed in this blog are those of Robert C. Covington and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author