From the Desk of the vCISO: How to Protect Your Business from Third-Party Risk

Last year, a team of cybercriminals planted malware into a routine software upgrade from a Texas-based IT company called SolarWinds, which provides third-party network management services to more than 300,000 customers. Nearly 18,000 of these customers downloaded the malware-ridden updates embedded in SolarWinds’ product. Once they did, these bad actors were able to access everything from Microsoft to U.S. government agencies.

This SolarWinds breach went down as one of the most sophisticated cybersecurity attacks in history.

Today, organizations of all sizes are increasingly relying on third-party vendors like SolarWinds to outsource key functions and expertise, so they can focus on their core competencies. In doing so, however, they’re exposing themselves to high-profile risks like never before. That’s because when your third-party vendor is breached, your own systems and data can become compromised, too.  

According to the Ponemon Institute’s Data Risk in the Third-Party Ecosystem study, 56% of businesses surveyed confirmed their third-party vendor caused some form of data breach. Additionally, 42% of respondents reported “cyberattacks against third parties resulted in the misuse of their company’s sensitive or confidential information.”

Protecting Your Business from Risks Starts with Understanding Your Full Ecosystem

Most companies spend a tremendous amount of time and money securing their organization, with people, processes and technology usually being the core focus. We implement things like firewalls, endpoint protection, SIEM solutions and end-user awareness training. Many companies, however, stop there.

The reality is, protecting your business requires full visibility—because if you can’t see it, you can’t protect it. It’s hard enough to ensure your business and customer data is secure—but you also need to be vigilant about your entire business ecosystem. That means having a clear understanding of every third-party vendor that services your business—from the people who enter your building to deliver office supplies, to the SaaS company running your applications. Who are your third-party vendors? How does your company interact with them? What access do they have to your data? These are all critical questions you should be asking yourself, because only then can you start building a program to understand the level of risk each supplier poses to your business.

How to Identify and Manage Your Third-Party Vendor Risks

To get control over your entire business ecosystem, start by categorizing your third-party vendors based on the level of risk they present. Make sure you’re properly vetting every single vendor—however big or small. Your work doesn’t stop there, however. You need to continuously monitor each vendor for any security incidents. You also need to be prepared with an action plan in the event that a breach within your supply chain does occur.

But all of these things can be a tall order for businesses. So how can you make sure you’re following the right steps and putting the right processes in place—especially if you’re already facing time and resource constraints?

In working with hundreds of customers, we’ve identified four suggested steps to consider as you evaluate your suppliers.

Do Your Homework: Treat every vendor like they’re a candidate for a new role at your company. You’ll want to spend time evaluating prospective vendors, their history, their policies, their certifications and more. Does their approach to security and compliance align with yours? Do they have best-in-class security frameworks in place like ISO 27001? If this is a vendor that will have physical access to your building, make sure you fully understand who they are, why they need access and when they need it. It’s also important to evaluate the personnel, technologies, verifications and checkpoints you have in place at the building to verify their identities and access privileges. Knowing all of this information will help you categorize each vendor based on the level of risk they present.

Continually Monitor: Security is a moving target. Even after you’ve vetted your vendors, it’s important to keep a close eye on them to both identify any changes to their policies or personnel but to also make sure you’re aware of new security incidents. You don’t want to be the last person to find out about a breach.

Be Prepared: The risk of a potential security incident is never zero—in fact, you should expect it to happen. That’s why having a security incident response plan in place is crucial. Do you have a team ready to respond with defined roles and responsibilities? What security tools do you have in place? How and when will you communicate an incident to key stakeholders? Do you need to report the incident to external authorities? When a security event takes place, time is of the essence. Your ability to remediate a threat depends on how quickly you can act to contain any exposure. You’ll also want to make sure you have a business continuity plan in place in case the breach resulted in critical services being unavailable or offline for a significant amount of time.

Conduct Regular Assessments: Make sure to follow-up with your vendors at least once a year to ensure their security programs and policies continue to evolve and are compliant with your own standards.

Each of these steps plays an important role in your overall business security strategy—but for many, they might feel overwhelming. Fortunately, you have a support system. Managed service providers like Navisite offer services to help you boost your security posture with ongoing threat protection. From assessing the current state of your security to providing ongoing and proactive managed security services, we deliver the security expertise and protection you need using the latest technologies and security controls to catch threats before they cause a disruption to your business.

Learn more about our security services.