Article Authors
Highlights of the March 23, 2022 webinar hosted by Bill Heaven, CPA, CISA, CITP, CSCP, Senior Director IT Development
Third-party risk is on the rise, through email/supply chain threats, third-party breach costs, and breach due to a third party.
How do your vendors rate?
Every organization should be able to answer that question, should have obligations their vendors have to meet via:
- Contract
- Security requirements
- Privacy regulations at the state level, like California Consumer Privacy Act, a landmark law that gives consumers the right to know about the personal information a business collects about them and how it is used and shared, and the right to have it deleted.
Attack vectors
Ransomware is getting more dangerous; attackers are doing two relatively new things:
- Infiltrating data from your systems before they encrypt it, then threaten to post customer data on websites.
- Getting into systems and attacking the backup so you can’t revert to that to avoid paying a ransom.
Code signing – getting into systems, such as with certificate checks to match codes, long enough to make the credential check match up so that you’re loading malware that you think is from a legitimate vendor
Compromising open-source code – harder to get malware into an open-source code as opposed to code signing
Who’s responsible for vendor risk?
Confusion on responsibility: like the misnomer that responsibility for cybersecurity is IT’s, so the same thing happens with vendor risk; it needs to be owned at upper levels of management for procurement and information security.
Third-party risk management steps
Discover:
- Have a data classification process by sensitivity to know what types of data you have and what’s most important.
- Know what vendors will do with your data, what type of data, and their access.
- Need a framework to evaluate vendor access objectively, including controls vendors should have in place based on what kind of information they are accessing.
Analyze:
- It’s important to evaluate how the vendor is going to integrate into your business processes.
- It’s your job to be as responsible as possible with your customers’ data.
Manage and quantify:
- Assign a risk quantification score.
- Document it to allow mitigation when necessary.
- Need an objective process, regardless of size of vendor organization, like a SOC report or from an independent security firm to ensure information is valid.
Prioritize and treat:
- Put in as many controls as you can in your vendor contracts to make sure you are creating a secure environment, enough to keep a business on the up and up
Monitor continuously:
- Have to keep tabs on what’s going on.
- It is most important to risk management to have a formalized process, steps that have to be followed.
- Assess regularly, at least annually.
Third-party risk is on the rise
- Email/supply chain threats – 80 percent of cyber attacks result from phishing – sad to say, but it does work.
- Supply chain threats are relatively new and more sophisticated, typically by nation-states, like the Solar Winds attack.
- The average cost of a third-party breach across all industries is up by $370,000; 53 percent of organizations have experienced a third-party breach.
Suggestions/ best practices
- Put policies in place to minimize access to systems to whatever people need to do their jobs.
- Monitor regulations on privacy and security requirements, which are typically set at a state level.
- Monitor vendors to maintain their obligations relative to your business and data.
- Visit www.cisa.gov for resources on such as risk assessment, the latest phishing scams, etc.
- Make sure someone at the highest levels of the organization, such as the chief operating officer, owns vendor risk.
"*" indicates required fields