7 Third-Party Security Risk Management Best Practices

Category: 

Cooperation is the key to success. Working with third parties helps businesses increase their productivity and efficiency, produce better products and services, employ highly qualified experts, and cut costs. But all these benefits come at the price of increased cybersecurity risks.

 

Minor flaws in your third-party vendor’s security and privacy routines may turn into cybersecurity weaknesses for your company. In this article, we analyze the particular cybersecurity risks related to third parties and how you can mitigate them.

 

Third-party-related attacks are on the rise

 

Cybercriminals always look for your weak spots.

 

Third parties may not take their network security as seriously as you want them to. Knowing this, hackers may choose not to attack your company directly. Instead, they may look for an easier target among your third-party vendors. A compromised subcontractor can easily be turned into an entry point for cybercriminals. This is how a supply chain attack works.

 

Meanwhile, the number of third parties organizations work with as well as the amount of sensitive data disclosed to them is increasing every year. The same goes for data breaches caused by third parties. From 2017 to 2019, the number of data breaches caused by third-party vendors increased by 35%. The results of annual studies by the Ponemon Institute from 2016 to 2018 also show a disturbing dynamic:

 

third-party vendor risk trends

 

Here are only a few recent examples of cybersecurity incidents involving third parties:

 

 

  • Atrium Health data breach — In 2018, Atrium Health suffered a data breach that resulted in the exposure of personal information of over 2.65 million patients. The breach was caused by a compromise of servers used by Atrium Health’s billing vendor, AccuDoc Solutions.

 

  • Amazon data leak — In 2020, Amazon, eBay, Shopify, and PayPal fell victim to a massive data leak. A third-party database with approximately eight million UK online shopping transactions was published online. Noticeably, this is not the first time Amazon has suffered from third-party-originated incidents. In 2017, attackers hacked several third-party vendors working with Amazon and used their credentials to post fake deals.

 

  • General Electric (GE) data breach — In 2020, GE reported a data breach caused by their service provider Canon Business Process Services. A compromised email account led to the public exposure of personally identifiable information of GE’s beneficiaries and employees, both current and former.

 

Depending on the nature of third-party vendor compromise, an organization may face different risks. Let’s look at the most common risk categories and the threats you need to be prepared to mitigate.

 

Read also: Insider Threat Statistics for 2020: Facts and Figures

 

What are the risks?

 

A compromise of your subcontractor may affect you too.

 

The financial and technical capabilities of small service providers and subcontractors don’t always match the capabilities of their clients. Therefore, while aiming for a bigger win, cybercriminals may start small and look for an easy target within your supply chain.

 

effects of subcontractor compromise

 

A compromised third-party vendor may lead to multiple risks that can be split into four major categories:

 

third-party-related risks

 

  • Cybersecurity risks — Subcontractors usually have legitimate access to different environments, systems, and data of their clients. Attackers may use a third-party vendor as an entry point to try to get a hold of your valuable assets.

 

  • Operational risks — Cybercriminals may target your internal systems and the services you use instead of just your data. This can lead to partial interruptions of your operations or even halt them altogether.

 

  • Compliance risks — International, local, and industry-specific standards and regulations set strict cybersecurity criteria that organizations should meet. Furthermore, third parties working with these organizations also have to comply with these requirements. Non-compliance usually leads to substantial fines and reputational damage.

 

  • Reputational risks — Having your valuable data and systems compromised serves as a red flag for your partners and customers, both current and future. Regaining their trust will take a lot of time and effort. And unfortunately, there’s no guarantee that you’ll be able to successfully recover your reputation after a severe cybersecurity incident. 

 

What’s the root cause of all these risks? 

 

The reason why many organizations struggle so much when it comes to securing their work with third parties is the lack of two things: visibility and control.

 

Companies often don’t see the full picture of what their third-party vendors do with their critical data and systems. For example, if a third-party vendor uses a shared account to access your corporate network, you won’t be able to determine which of their specialists has made a particular change in the system. 

 

Also, organizations often have limited control over their third parties. Yet it’s the organization’s responsibility to make sure their supply chain vendors meet all necessary cybersecurity requirements. According to the Health Insurance Portability and Accountability Act (HIPAA), even when a data breach happens on a third-party vendor’s side, the healthcare provider is held responsible for not ensuring the safety of their patients’ data.

 

Read also: Healthcare Data Security: How to Protect Patient Health Information?

 

Understanding the particular threats

 

Let’s get more specific.

 

In order to make your cooperation with subcontractors more secure, you need to understand what threats they can pose to your company’s cybersecurity. Let’s focus on four common types of threats:

 

common threats

 

  • Privilege misuse — Third-party vendors may violate access privileges you grant them in various ways and for various reasons. Your subcontractor’s employees may willingly pass their credentials to others. Or, if access permissions in your network aren’t configured properly, a third-party vendor may get access to data that’s not supposed to be shared with them.

 

Ensuring a high level of access control is especially important if your third parties have access to your company’s privileged accounts, critical assets, and sensitive information.

 

  • Human errors — Inadvertent mistakes by your subcontractor’s employees can cause just as much damage as intentional attacks. Common mistakes include accidentally deleting or sharing files and information, inputting the wrong data, and misconfiguring systems and solutions. While being unintentional, these mistakes can still lead to data leaks, service outages, and significant revenue losses.

 

  • Data theft — Alongside unintentional data damage, there’s a high risk of targeted data theft by third parties. Without a proper third-party vendor management policy in place, there’s a risk of third-party employees stealing valuable business information and using it to their advantage.

 

  • Fourth-party risks — Fourth parties or second-tier third parties are subcontractors of your subcontractors. Ensuring that your third-party vendors meet your cybersecurity requirements and follow cybersecurity best practices isn’t enough. You also need to understand how they manage their own supply chains.

 

Luckily, you can effectively manage all these risks and threats by following a set of third-party vendor risk management best practices that will significantly improve your company’s cybersecurity resistance.

 

Read also: Insider Data Theft: Definition, Common Scenarios, and Prevention Tips

 

Third-party vendor risk management: 7 best practices

 

Analyze and control risks stemming from your subcontractors.

 

A systematic approach can help you mitigate potential cybersecurity threats and manage risks coming from your third parties. Third-party risk management (TPRM) is an example of such an approach. 

 

In a nutshell, TPRM is the process of determining, analyzing, and managing third-party risks. This process can cover different aspects of your company’s operations: work with sensitive data and intellectual property, access management, financial operations, and so on.

 

There are several international standards and commonly used frameworks that can serve as a basis for outlining your third-party risk management strategy. The following resources will prove particularly helpful:

 

 

By analyzing the recommendations in these resources, we can summarize seven third-party security risk management best practices:

 

third-party security risk management best practices

 

  1. Make an inventory

 

Start by making an inventory of all your third-party vendors and service providers. Next, classify them according to the level of their impact on your organization: low, medium, or high. The more critical data is exposed to a particular vendor, the higher that vendor’s possible impact on your organization.

 

Pay the most attention to vendors who have a high impact on your organization’s operations and cybersecurity, as their compromise will affect you the most. Also, consider developing a framework for categorizing vendor impact and use it when starting to work with new subcontractors.

 

  1. Delineate responsibilities

 

Use service-level agreements (SLAs) to determine who’s responsible for what in your cooperation with a third party. You need to take everything into account: what kinds of sensitive information your third-party vendor can access and store, what security precautions they should take to protect that data, what compliance requirements they must follow, how often they should perform audits, and so on. Think of every detail relevant to your business and make sure to mention it in your SLA.

 

  1. Establish cybersecurity policies

 

Set clear cybersecurity rules for both your third-party vendors and your employees cooperating with them. Develop an internal policy that clarifies responsibilities of each party and outlines standard actions for different procedures and cases. And make sure to familiarize both your employees and your subcontractors with these rules.

 

  1. Limit access

 

Consider deploying a privileged access management solution to make sure that only legitimate users can access your company’s sensitive information. Secure your critical assets with two-factor authentication (2FA) to make it harder to compromise your network even if someone’s credentials are stolen. One-time passwords and manual access approval also can help you prevent attackers from entering your network.

 

Read also: Two-Factor Authentication (2FA): Definition, Methods, and Tasks

 

  1. Enable continuous user activity monitoring

 

Continuous monitoring of user activity is a common requirement of many IT regulations, laws, and standards. By monitoring a third-party vendor’s activity within your network, you can see who does what with your critical assets and when they do it.

 

Look for a solution that can monitor and record user sessions in a comprehensive format suitable for further auditing of your third-party vendors’ activity. Reports based on the results of vendor monitoring will be helpful in passing external audits, evaluating your cybersecurity during internal audits, and investigating cybersecurity incidents.

 

  1. Plan for third-party incident response

 

Prepare for responding to a subcontractor-related incident before it happens. Analyze the scope of cybersecurity threats and risks to pick those that are relevant to your company. Then develop formalized procedures for mitigating those risks.

 

To ensure timely detection of cybersecurity incidents, use a dedicated solution to configure alerts and notifications for possible suspicious actions and events related to your subcontractor’s activity. Choose responsible personnel who will get notified in case of a cybersecurity incident related to third parties and make sure to add their names and contact information to your cybersecurity policy.

 

  1. Perform regular audits

 

Perform regular audits and evaluations of your third-party vendors. Use reports from your user activity monitoring solution and incident response system to analyze the way your vendors treat your critical systems and sensitive data. 

 

Additionally, perform regular assessments using vendor risk management questionnaires. You can compose such questionnaires yourself or use templates that match your company’s requirements. Having vendors fill out questionnaires will help you evaluate your vendors’ cybersecurity approaches and identify potential weaknesses in them.

 

Read also: 7 Best Practices to Conduct a User Access Review

Monitor your third-party vendors with Ekran System

 

While there are a variety of tools that promise to help security officers mitigate subcontractor-related risks, Ekran System has several advantages. Particularly, Ekran System enables you to:

 

 

Ekran System gives you full visibility into the actions of every user in your network. The Ekran System platform is stable, easy to manage, and customizable, and it can be easily integrated with your current SIEM and ticketing systems.

 

Learn more about Ekran System’s third-party vendor security monitoring solution

 

Conclusion

 

Third-party vendors have legitimate access to clients’ critical systems and sensitive data. Yet many subcontractors can’t match the level of cybersecurity measures and precautions implemented by large enterprises. This is why cybercriminals often focus on third-party vendors and service providers instead of directly attacking their real targets. 

 

A cyberattack on a third-party vendor creates cybersecurity, operational, compliance, and reputational risks for all organizations the vendor works with. Dealing with these risks can also result in substantial financial losses.

 

The best way to mitigate these risks is by deploying a sophisticated monitoring solution and following third-party vendor risk management security best practices. Ekran System can help organizations manage third-party vendor risks and implement most of the practices that are critical for this process. The platform provides a rich selection of user activity monitoring, access management, and incident response functionalities.

 

Start your 30-day trial to evaluate Ekran System’s capabilities.