Third-party vendors — your weakest link?

Some of you may remember the TV game show The Weakest Link, during which a somewhat caustic Anne Robinson would declare one of the nine contestants the weakest link, and summarily kick them off the program.

Now, imagine Anne taking a job as an information security consultant, reviewing security and risk for a medium-sized corporation. I suspect that as she got to the portion of the review involving third-party suppliers, she would quickly yell out “You are the weakest link. Goodbye.”

I have worked with a variety of organizations that, as mandated by HIPAA, PCI, or other standards, must assess the risks of their third-party providers. I have written or reviewed more of these than I could count off hand. As such, I can confirm that they are often the easiest approach to breaching the security of a company. I have reviewed a number of providers with reasonable security and risk management programs of their own, but more often I have found their programs to be weak, or even laughable.

In fact, the running joke among risk assessors is that they end up being consultants for the third parties they review. Invariably, after getting dinged for a number of exposures, the providers will ask what they could do to resolve a particular finding. The assessor ends up being a valuable member of the third party’s risk team, by telling them how to fix the issue.

I don’t want to be too hard on the third parties. After all, the risk posed by outside vendors only hit everyone’s radar quite recently. According to the folks at the Southern Fried Security Podcast, the focus on third-party risk began as a result of the Target breach. As you may recall, hackers penetrated the Target network using credentials belonging to an HVAC vendor. The hack resulted in the loss of data on 40 million credit and debit cards. Quite suddenly, the corporate world woke up and realized that their vendors could be a major exposure.

In my experience, too many organizations still don’t pay close attention to their third parties. According to an article by Evantix, of 450 breaches investigated in 2013, a staggering 63% involved a third party. Experian, in their 2015 Data Breach Industry Forecast, made the case well, saying “As more companies adopt interconnected systems and products, cyber attacks will likely increase via data accessed from third-party vendors.” The same report expresses concern about the growth of a different sort of third party exposure — Internet of Things devices, a risk that the business world is just now beginning to face.

While the lack of appropriate security precautions and risk management processes are very common among small vendors, the big guys have lapses too. In late 2015, Hartford Hospital shared a $90K HIPAA-related fine with tech giant EMC, because of their failure to safeguard customer data on laptops.

As breaches get more frequent, it is probable that fines will increase as well, especially with a growing body of regulators paying close attention to security problems. Since third parties are often a company’s weakest link, it is important to address this risk appropriately. Here are some practical suggestions:

The C-Suite must set the direction

Corporate leadership must make third-party risk management a priority for it to be successful. Such a program requires resources, and often involves delays in the purchase of products and services while the related risk is assessed. Without strong support from the C-Suite, managers will simply ignore third-party risk, and just buy whatever they want whenever they get in a hurry.

Have a structured program

Third-party oversight should begin with a structured  program, with proper documentation and procedures. The program must be an ongoing effort, rather than a one-time review. This should include complete analysis of each vendor BEFORE a contract is signed. For ideas on how to structure such a system, I would suggest that you review “Third-party risk management — not just papering the file.”

Oversight must apply to all vendors, large or small

The risks posed by a small vendor cannot be ignored, even if the exposure is also small. It is easy to overlook a small vendor performing a relatively minor service. Despite their small footprint, the risk is real. On the other hand, it can never be assumed that the big guys will do it right, as evidenced by the EMC case noted above.

Make the criteria match the vendor

In a perfect world, the same risk management standards could be applied to  all vendors. Practically, however, we cannot hold a vendor with 10 employees to the same standards that would apply to a major corporation. While all vendor risk must be evaluated and considered, we must accept the fact that a small company cannot stay in business with a security budget that exceeds their income.

Consider the level of exposure posed by each vendor

While the company that empties your trash cans certainly poses some risk, they are not in the same category as one that has access to your network and data. The level of attention you apply to each must be commensurate with their risk.

Document everything

Your actual control over a vendor’s security and risk practices is somewhat limited. Ultimately, if there is an incident, you will be judged largely based on the quality and completeness of your oversight effort. It is important that you document all aspects of your efforts, to demonstrate that you did everything reasonably possible to protect your business.

Feel free to walk away

If you find a vendor that is not meeting your standards, either during the initial review, or a yearly update, you must not hesitate to seek another vendor. The value provided by any given vendor must be balanced against the risk they pose.

Bottom line — unmanaged third parties can pose a risk to your company that is even greater than that posed by your own internal security issues. Bad actors know this as well, and they will exploit this opening unless you step up and manage the risk.