According to the Ponemon Institute’s 2014 Global Report on the Cost of Cybercrime, a quarter of organizations worldwide fail to meet their own security requirements. If your organization is one of that 25 percent, given the surging rate of cybercrime, you are probably hurrying to ramp up privacy and information security programs, staff, and budget. If yours is one of the 75 percent that does meet its own requirements, take a moment to congratulate yourself—just a moment—and then think about all your business partners, third-party service vendors, and suppliers. If 25 percent of them are not meeting their own security requirements, what are the chances they’re meeting yours?
In the previous article in this series, we discussed the fact that human error is often the weak link that leaves organizations vulnerable to cybercrime, and we looked at ways to build breach resistance in the organization. But your partners and suppliers can also make mistakes or simply have poor security practices. As Rocco Grillo, managing director at consulting firm Protiviti says, “You can have all the security in the world inside your company’s four walls, but all it takes is a compromise at one third-party vendor that’s connected to you [to create] a bridge directly into your organization.” In fact, Protiviti’s 2015 Vendor Risk Management Benchmark Study found that, on a scale of 1 to 5, organizations rate an average of 2.8 on the maturity of their vendor risk management practices. That leaves a lot of room to improve breach resistance in your business ecosystem. Let’s look at some of the things you can do.
Make Requirements Clear
Depending on your industry, there may be a long list or a whole network of regulations governing privacy and information security practices, and some—the Health Insurance Portability and Accountability Act (HIPAA), ICO 27001/2, the Consumer Financial Protection Bureau (CFPB) regulations, and the National Institute of Standards and Technology (NIST) Cybersecurity Framework, among others—have specific requirements for working with third-parties. But some of your vendors may not be in your industry, may not know the regulations, or have no idea the requirements apply to them. So the first step in managing third-party risk is to make sure your third parties know what is expected of them.
Defining requirements can begin with vendor selection. Before choosing a vendor for any service that has access to information (anything from cloud computing and data processing to a temp agency or an HVAC company or janitorial service that sends staff to your facilities), bring together the hiring department and stakeholders, privacy and security staff, and the responsible purchasing or HR person to identify the information risks associated with that vendor and to build security requirements into the screening and hiring process. Once the vendor is selected, carry those security and privacy requirements into the contract, wherever possible quantifying them with performance-based contract provisions such as service-level agreements (SLAs), key performance indicators (KPIs), or key risk indicators (KRIs). Cyber attorney Sean Hoar, partner at Davis Wright Tremaine LLP, says you should require third parties to commit to following commercially reasonable practices. “If the primary party [your organization] has a best practice framework it follows, that framework may be used as the standard to be followed by the third party, and it can be incorporated into the contract. If I am counseling the primary party, I would also recommend the inclusion of an indemnification provision wherein the third party indemnifies the primary party for any compromise of its system up to the value of data or likely harm that might result if the third party service is compromised. This provides a significant incentive for the third party to increase and sustain a healthy security posture. The indemnification provision should be backed up with sufficient cyber liability insurance coverage and the primary party should be listed as an ‘additional insured’ on the policy.”
Favor Certified Vendors
In some fields, vendors may be able to offer you an additional level of assurance through security certifications. For example, the Cloud Security Alliance offers multiple levels of security certifications for cloud-based vendors, and some of their certification levels include independent audits. The Global Information Assurance Certification (GIAC) offers cybersecurity certification in a number of areas, from mobile device management to industrial controller systems, and the International Information System Security Certification Consortium, Inc. (ISC)² offers the Certified Information Systems Security Professional (CISSP) certification, with specializations in areas such as architecture, engineering, and management. Individual technology vendors, from Microsoft, IBM, and Intel to Cisco and Symantec, also offer certifications for their technologies. Look for potential partners who have support staff with security certifications relevant to your business.
The Shared Assessments Program, a consortium of leading financial companies and key service providers also offers tools and resources for conducting vendor risk assessments. Screening potential third-party vendors for security and privacy programs and practices should be a standard part of vendor selection, but industry specific certifications and risk assessment provide additional assurance that your vendor will be able to meet your security needs.
Help Your Partners to Protect You
Your vendors want to protect their relationship with you, and they don’t want to become party to legal action or penalties resulting from a breach, so they should be eager to partner with you in protecting your information. You can help them in a variety of ways:
Train them in your security practices by including key vendor personnel in your training programs and by empowering them to train their own staff.
- Provide clear communication channels and schedule regular check-ins to discuss privacy and security processes and review key indicators.
- Make sure that there is a well-defined process for escalating privacy and security-related incidents, and that all relevant staff within both organizations know it. Run periodic drills to make sure it is working.
- Include your vendor’s staff in security awareness programs to warn them of emerging threats and help them build resistance to phishing, visual hacking, and other kinds of attacks that may compromise their system security and yours.
- Require them to periodically review and report to you on security programs with their own vendors and on cloud app usage within their organizations. (A new study from Skyhigh Networks shows that the average organization is using over 10 times more cloud services than the IT organization knows about. If you add up the “shadow services” that your organization is probably using and the ones that all your vendors are using, that could be a massive security hole.)
Hold Them Accountable
Defining security requirements for vendors is important, but it’s not much use if you don’t monitor to make sure the requirements are being met. According to the Protiviti study, the category Tools, Measurement, and Analysis is one of the weakest areas in most organizations’ vendor risk management (2.4 out of 5), and most don’t allocate enough resources for vendor risk management activities. You need to allocate people, time, and resources to track security performance indicators with your vendors and to address issues if they are not being met. And if you are ending the business relationship with a vendor, whether due to performance or because the business need has changed, you also need to allocate resources to make sure your data is securely and completely removed from their systems.
If there is a security incident or breach due to third-party error or negligence, Hoar says that your remedies will primarily be contractual. “This is why it is important to conduct due diligence up front on third-party providers, draft indemnification clauses into every third-party service contract, and ensure that the indemnification is backed up by cyber liability insurance coverage which equates to at least the value of data processed, transmitted or stored by the third party service.”
In this age of interconnected systems, outsourced business processes—and software, applications, and infrastructure as services—businesses depend on a whole ecosystem of third parties to stay agile and competitive. As with any other ecosystem, the denizens of your business community can flourish or fail together, so you and your business partners and suppliers have a vested interest in protecting one another from the predations of cybercrime. With good communication, collaboration, and proactive oversight, you can.
Originally posted on the ID Experts Blog. Reposted with permission.
Jeremy Henley is the director of breach services for ID Experts. Henley has direct oversight for all breach incident management services. He has been certified by the Healthcare Compliance Association for Healthcare Privacy and Compliance and brings more than a dozen years of sales, consulting and leadership experience to the ID Experts team. He is responsible for establishing and maintaining relationships with insurance carriers offering cyber and privacy liability coverage and works with insurance brokers and risk managers to minimize the risks of breach.