When it comes to cyber security, the threat from within the organization is just as big as the one from the outside. Insiders can both maliciously or inadvertently misuse your data, or even damage and delete it. Moreover, compromised account can serve as an entry point for a hacker, who, once in the system, becomes indistinguishable from an actual insider.
Protecting your data from insider threats requires implementation of specific policies and procedures, aimed at securing data access and controlling how it is used. Part of this continuous process is effective third party vendor management.
The danger of third parties and various ways to mitigate it is one of those topics that doesn’t get a lot of detailed coverage, but in reality is extremely vital for understanding how to beat insider threats.
Ask yourself – what does the word vendor mean in the context of your business? Companies nowadays use numerous third party services to handle a variety of vital business tasks, including supply, delivery, advertising, finances, security, legal matters, insurance, as well as payroll and benefits for employees. This means that all kinds of companies have access to your sensitive information, – and you rarely know how reliable security is on their end.
Ponemon 2016 Cost of data beach study suggests that data breaches involving third parties generally cost $14 more than the baseline per record (and don’t forget – a breach can involve millions of records), making it the most significant factor to negatively contribute to data breach cost. A different study from Ponemon, Data risk in the third party ecosystem report, suggests that 73% of companies consider that the frequency of breaches involving third party vendors is on the rise, while 58% of companies can’t even vouch for the effectiveness of the safeguards put in against it.
So, let’s summarize it: data breaches involving third parties are extremely costly, becoming more and more frequent, and majority of companies doesn’t even know whether their defenses are working or not!
This sounds terrible, but not everything is doom and gloom. There are a number of simple policies and procedures that you can implement for an effective third party monitoring and management, and we will cover them shortly. However, before that, we need to understand, what exactly makes third parties so dangerous.
What really makes third party vendors a security liability
As mentioned above, the biggest problem with third party vendors is their extensive, often unlimited access to your sensitive data. More often than not, this access is unsupervised, while at the same time, you barely know how good their security actually is. Their employees can easily misuse your data, and if their system is ever hacked, it can serve as a gateway to your system for malware and perpetrators.
And the worst of all, is that you will barely be able to detect any of it, because malicious actions in this case can barely be distinguished from regular work.
But this only describes while third party vendors are a danger in principle, while surely, in practice state of their security is closely evaluated and their actions are tightly controlled. Right?
Yeah, not quite. In fact, there are several factors that contribute to the problem, all of which come down to the problems with managing vendors:
– Lack of cyber security requirements for third party vendors – sometimes companies choose not to assess cyber security of third party vendors, or choose to not pose any additional security requirements, simply relying on the vendor taking care about it themselves. This is a huge mistake, because this leaves vendor one on one with any potential risks and challenges, which may affect your data as well. It even leaves the window open for them to not notify you in case of a breach or other problems.
– Lack of enforcement – even when companies do have their standards and requirements, they are not always enforced in the right way. If it isn’t in the contract, you can hardly expect third party vendor to comply, when you try to make them do something regarding cyber security.
– Inconsistent policies regarding cyber security – sometimes companies change their requirements or policies leaving vendors to adapt. This can create a security vulnerability, while third party vendors are struggling to catch up.
– Rapid changes of cyber security landscape – the threats we’re facing and the way to beat them are constantly evolving, and it can be quite hard to always keep your security top notch. Sometimes vendors can’t catch up quick enough, leaving them, and your data, vulnerable.
Combating all abovementioned reasons require you to work with third party vendors – constantly assess their security, enforce compliance with your own security standards, require disclosure of any breaches or additional risks, etc.
Luckily for you, while it sounds complex, in practice it is much more simple. Half the battle is doing vendor assessment and getting the right paperwork done, while the other half is getting the right solutions to control access and monitor usage of sensitive data on your end.
Here’s a 5 simple tips on how to manage third party vendors – all in more detail:
1. Knowing what you’re dealing with is half the answer
First things first, you need to know an actual state of cyber security of any third party vendors you are working with. Assessing third party vendors is no harder than conducting background checks when hiring employees. Look for partners that are known and reputable.
At the very minimum, you should discuss cyber security best practices with the upper management or stakeholders of the company. Ask them what measure they have in place and discuss such things as breach notifications and compliance. If you can, it is best to go to their office and actually audit their security yourself, although this option is not always available and not always worth it in terms of money.
At the end of the day, as long as you know what you’re dealing with, you would be able to incorporate this information into your own risk assessment, and by extension – your own security strategy. This provides your compliance and legal department with a clear direction to take regarding such vendors, and also allows you to put a price tag on the threat, making it easy to justify any additional security spending.
The final deliverables that you need to produce should include a written security policy for third party vendors, as well as putting in place all the necessary controls and procedures, such as encryption, two-factor authentication and user action monitoring.
2. Smart contracts – your best weapon
The best leverage you have over third party vendors is the legal and financial one. You need to make sure that any contracts and agreements that you sign with third party vendors should include cyber security requirements and discuss penalties for not complying with them.
We recommend signing a service-level agreement (SLA) that will mandate that third party vendors need to comply with security standards and policies of your company. You should cover all things regarding network communication, data access, privacy, as well as disclosure of any breaches and leaks. Continuous security assessments should be your way to control that third parties are following this agreement through.
The main purpose of SLA and other similar agreements is to bring yourself and third party vendor on the same page, putting into writing a single security strategy that you’re both agree to follow.
If you’re working in finances, healthcare, education, or any other industries dealing with personal data, chances are, you and third party vendors that you’re involved with are subjects to the same compliance requirements regarding privacy and data security. In this case, requirements such as HIPAA and PCI-DSS are great, because they allow you to find a common starting ground to work on cyber security together with your third party vendor.
3. Put the right people in charge
Now, in order to effectively enforce security requirements and work together with your third party vendors toward protecting your data, you need the right people in charge. And as strange as it may sound, those people are not IT or infosec.
Although, sure, they are necessary to cover technical side of things, set up and monitor all security controls on your end, and to actually help you conduct vendor security assessment and understand what you are dealing with. But, they will not help you enforce any of the requirements and policies you have put in place.
Ultimately you have no control over what’s happening on the third party vendor side beyond the already signed agreements and compliance requirements. You need to put your legal or compliance people in charge of dealing with vendor security. They should be able to control and effectively enforce compliance with agreed upon security practices and standards by using their own bottom line as a powerful and extremely persuasive incentive.
4. Control access to sensitive data
So far, everything mentioned above concerned vendor assessment and enforcement of security policies and compliance on their side. But when it comes to cyber security, third party management doesn’t end on their side. You need to also put controls in place on your own end, in order to make sure that you know who accesses your data, when, and why. And first of all, you need to enforce a proper access control.
Now, the first step to an effective access control is you limiting the number of things people can access. Principle of list privilege is a very effective approach that allows to limit the right to access data only to those that absolutely need it, and you definitely should apply it to both your employees and your third parties. Make sure that you assign as little privilege to your third party vendors as possible, thus limiting the attack surface in case of malicious actions or a hacking attack.
Apart from that, you need to protect your login procedure, and the best and simplest way to do this is to use two-factor authentication. 2FA solutions require a possession of second physical device, whether it’s an identity token or a personal mobile device, to confirm the identity of the user and complete the login procedure. While two-factor authentication is not flawless, it is, nevertheless, extremely reliable and is a de-facto industry standard.
Another great solution for third party access control that allows you to kill two birds with one stone is one-time passwords. They allow you to give temporary privilege access to the remote user, both serving as an additional authentication layer and eliminating the need to manage credentials.
There are many solutions out there that combine both one-time password and two-factor authentication functionality. For example, popular user action monitoring software Ekran System provides both one-time password feature and a free two-factor authentication functionality.
5. Monitor third party user actions
Apart from knowing who accessed your sensitive data and when, you also need to know how they used it. Therefore, in addition to access control you need to monitor user actions once they are in your system.
Considering the fact that to the outside observer malicious actions of insiders can be indistinguishable from their regular everyday routine, the only way to detect them is to look at them from within in their proper context. User action monitoring software records everything third party vendor does in your system and allows you to view those recordings and determine yourself whether any malicious actions have taken place.
User action monitoring tools are great not only for detection, but also prevention. Simply by knowing that their actions are recorded, your third party vendors will be most likely to attempt anything shady. Moreover, in case of a breach they will provide the necessary evidence that will help you bring those third party vendors to court.
One concern many companies have regarding user action monitoring software is the cost and complexity of deployment. While it’s true that there are bastion-server based solutions with high entry cost out there, there are also affordable, agent-based solution available, that does not require you to make any changes to existing infrastructure. For example, the aforementioned Ekran System is one such simple and affordable user action monitoring software that can be effectively used by both small and large businesses.
The bottom line is that vendor monitoring is your best tool in the fight against insider threats coming from third party vendors. While native logging capabilities of OS and software you use provide mostly technical information and can easily be tampered with, user action monitoring software gives you a clear idea of what any particular user did and how they did it.
As you can see, the tips above are fairly basic and simple, yet they are the ones that work. Third-party vendors are essential to any modern business. However, any company that ignores potential threat to cyber security coming from those associates does that to its own peril.
It’s always better to be safe than sorry and to take the necessary measures to protect your sensitive data from third party insiders.
Written by Oksana Sobolieva