Working with subcontractors has many benefits: it allows companies to increase productivity and efficiency, employ highly qualified experts, and cut costs. There also are drawbacks, though, and one of them is the risk that your third-party provider will prove a weak link in your cybersecurity.
Fifty-six percent of organizations surveyed by the Ponemon Institute in 2017 admitted to having a data breach caused by one of their third-party vendors. Refusing to work with third parties is not an option, though. Thankfully, quality third-party management solutions can help you effectively mitigate subcontractor-related security risks.
Working with third parties: what are the risks?
The main risk of working with third parties is that a third-party vendor may not take their network security as seriously as you want them to. Hackers know this, and they can try to get access to your sensitive data by attacking a third-party company instead of attacking your company directly. This is called a supply chain attack and, as reported by the Associated Press these attacks are on the rise.
There are numerous examples of poor third-party management resulting in data breaches and revenue losses:
- In 2013, Target’s HVAC vendor was phished. The credentials exploited during this attack were used to access Target’s billing network.
- In 2015, CVS warned customers of their online photo service that credit card information collected by a third-party vendor might have been compromised.
- In 2017, several third-party vendors working with Amazon were hacked. The attackers used the vendors’ credentials to post fake deals.
While risks related to third parties can vary depending on your business, they fall into several common categories:
Misuse of access — When you don’t control third-party vendors appropriately, you can’t be sure that their employees won’t misuse permissions. Ensuring a high level of control is especially important if your third parties have access to your company’s privileged accounts, critical assets, and sensitive information.
Accidental data breaches — Human errors can cause just as much damage as intentional attacks. Poorly trained employees can inadvertently delete important files or make configuration mistakes that can result in significant revenue losses and service outages.
Fraud — Third parties that commit fraud can cause serious damage to any business. Third-party employees can use their access to alter your company’s sensitive data to commit further fraudulent activities.
Data theft — Alongside unintentional data damage, there’a a high risk of targeted data theft by third parties. Without a proper third-party management policy in place, there’s a risk of third-party employees stealing valuable business information and using it to their advantage.
Compliance issues — Most of today’s regulations demand an appropriate level of control over access to sensitive information. The problem is that ensuring full compliance with local and industry-specific regulations on your end isn’t enough — your third-party contractor also has to comply with these regulations.
Take GDPR, for instance: if your third-party vendor moves sensitive data of your EU customers outside the EU without ensuring adequate data protection, you can possibly be fined up to 20 million euros.
With all these risks in mind, you need to take proper precautions and add specific measures to your cybersecurity policy to address third-party-related risks.
Five best practices for managing third-party providers
There’s no way you can eliminate third-party risks completely, but with the appropriate security measures in place, you can make these risks manageable. Here are five of the most effective practices for mitigating risks related to third parties.
1. Choose trustworthy third-party vendors. Choose the third parties you work with carefully. Pay attention to their experience and reputation, request their cybersecurity policies, and examine those policies. In particular, take a close look at their security practices:
- Do they comply with the same regulations that you need to comply with?
- What security policies and disaster recovery plans do they have in place?
- Who is responsible for ensuring data protection and preventing data breaches on their end?
- Do they perform data and server backups on a regular basis?
- How do they monitor who exactly can access your sensitive data?
Compare their cybersecurity practices to your company’s and make sure there are no weak spots or hidden risks. Also, consider paying your potential subcontractors an actual visit if possible so you can see how they work and discuss their security practices in person.
2. Delineate responsibilities via service-level agreements (SLAs). Be especially attentive when signing SLAs with your third-party vendors and make sure to make your security part of the deal. You need to take everything into account: what kinds of sensitive information your third-party vendor can access and store, what security precautions they should take in order to ensure data protection, what compliance regulations they must follow, how often they should perform audits, and so on. Think of every detail relevant to your business and make sure to mention it in your SLA.
3. Monitor and audit user activity. Monitoring and auditing user activity and data access is commonly required to comply with regulations. Monitoring and auditing can also help you learn quickly about any abnormal or potentially dangerous user actions. Continuous monitoring is the key to knowing who accesses what and who is responsible for a particular action.
4. Employ privileged access management solutions. Just monitoring user activity isn’t enough. You need to make sure that only legitimate users have access to your company’s sensitive information. You can integrate your privileged access management solution with ticketing systems and protect your critical assets with two-factor authentication (making it harder to compromise your network even if someone’s credentials are stolen), provide one-time passwords, or use other more complicated access management tools.
Look for a solution that allows you to follow the principle of least privilege so that both your employees and your third-party vendor’s employees are granted only the privileges they need to do their jobs.
5. Include subcontractor-related risks in your incident response strategy. There are different approaches to building an incident response strategy. The National Institute of Standards and Technology, for instance, offers four essential steps for handling a security incident:
- Preparation — Get ready to handle possible incidents and try to prevent them from happening in the first place.
- Detection and analysis — Analyze possible attack vectors, determine the signs of incidents, and set specific alerts and notifications for different incidents. For instance, if someone tries to log in to a privileged account from an unusual location or copy sensitive data to an unapproved USB device, you’d better be notified about it.
- Containment, eradication, and recovery — If an incident takes place, you need to contain the issue and eliminate it as soon as possible. Then you can recover your system and restore services.
- Post-incident activity — After handling an incident, analyze collected incident data and use the knowledge you’ve gained to prevent similar incidents from happening in future.
This approach works for subcontractor-related incidents as well. You can go through each of these four steps, keeping in mind the risks related to working with third-party providers, and develop formalized procedures for mitigating those risks. Then add these procedures to your company’s current incident response plan.
While there are a variety of tools and solutions that promise to help security officers mitigate subcontractor-related risks, Ekran System has several advantages over all other solutions. Ekran System includes a third-party vendor monitoring solution that has a broad set of incident response tools, allows for granular access management, and gives you full visibility into the actions of both your internal employees and outsiders. The Ekran System platform is stable, easy to manage, and customizable, and can be integrated with your current SIEM and ticketing systems.
As companies outsource more and more responsibilities to third parties, the need to address subcontractor-related risks is becoming vital. There are many risk factors that companies need to take into account, from human errors to hacker attacks and insider threats within third-party service providers.
Efficient third-party management can help you ensure your company’s cybersecurity when working with outside vendors, service providers, and independent experts. Continuous user activity monitoring, audits, and privileged access management are some of the most effective practices for mitigating security risks related to third parties.