7 Steps to protect against Vulnerable Third-party Service Providers :
There is no shortage of headlines when it comes to third-party breaches. While third-party software is becoming a common commodity in most organizations, currently there’s a lack of a formal vetting process to assess the security posture of the software and mitigate the risks they pose to a company’s core operations on an ongoing basis.
A third-party service provider is generally defined as an external person or company who provides a service or technology as part of a contract. In the IT space, a third-party service provider typically provides a technology used to store, process, and/or transmit data that enhances an organization’s operational efficiency.
Risks are everywhere, particularly today as we more get digitalized, and organizations regardless of their size are under risk. One of the risks which is not taken much care is “third parties” , and the recent FireEye hack – One of the largest Cybersecurity firms in the world – through SolarWinds is just a proof why you need to take extra care of your third parties ( Read here more about the SolarWinds attack)
It’s one thing to put faith in your service providers to do their jobs effectively. It’s another to ignore your own firm’s responsibility to manage that third-party as a means of protecting your own firm. Successfully managing risk associated with third-party service provider relationships is a full-time job, especially for financial services firms working with dozens of various parties. Here are a few tips to help your firm properly manage third-party service provider risk:
You must understand the breadth/depth of the relationships your firm has established, you need a comprehensive understanding of who your outsourced providers are, what services/functions they provide and what level of access they have to your firm’s data/systems.
You need to calculate potential risks and vulnerabilities. For that you need to understanding your firm’s risks and exposures is critical regardless of the service provider benefits you’re leveraging. If you know to what asses your, the more efficient risk assessment can be done. Completing a service provider risk assessment for each third party engagement will provide insight into the level of access each provider has and hence, any potential vulnerabilities that may arise.
Below are the 7 steps to protect against Vulnerable Third-party Service Providers
Tips to protect your organization from Vulnerable Third-party Service Providers
- Create a template of standard information security and privacy contract clauses. Contracts should be customized for each vendor, but it’s helpful to have a place to start.
- Establish and communicate a clear and documented breach notification process for the vendor to follow after a security incident. Include notification time requirements.
- Request monthly or quarterly security and privacy attestations from your high-risk vendors’ executive management.
- Do not request a vendor to use an assessment that will cost more for the vendor to take than the amount you are paying them for their work or service.
- Be wary of assessments that claim “certified compliance.” Compliance levels vary on an ongoing basis as changes in the business environment occur, new threats and vulnerabilities are discovered, and new legal requirements arise. There is no such thing as “Certified 100% Compliance” or similar claims.
- Verify you are named as an insured on the vendor’s security and privacy liability insurance.
- Make sure your cyber liability policy covers losses related to security events at a vendor (Contractors are often not covered).
Implement Third-Party Risk Management process!
Third-Party Risk Management is the process of analyzing and minimizing risks associated with outsourcing to third-party vendors or service providers. Third-Parties can be risky to your organization as those vendors have access to intellectual property, sensitive data, personally identifiable information (PII), and protected health information (PHI) etc.
Third-party risk management is important because the use of third parties impacts cybersecurity directly regardless if your vendor has a direct or indirect relation with your organization.
What risks do third-parties introduce?
There are many potential risks that organizations face when working with third-parties including:
- Cybersecurity risk: The risk of exposure or loss resulting from a cyberattack, security breach, or other security incidents. This risk is can be mitigated via a due diligence process prior to onboarding a vendor and continuous monitoring throughout the vendor lifecycle.
- Operational risk: The risk of a third-party causing disruption to the business operations. This is typically managed through contractually bound service level agreements (SLAs), and business continuity and incident response plans. Depending on the criticality of the vendor, you may opt to have a backup vendor in place which is common practice in the financial services industry.
- Legal, regulatory, and compliance risk: The risk of a third-party impacting your compliance with local legislation, regulation, or agreements. This is particularly important for financial services, healthcare, and government organizations and their business partners.
- Reputational risk: The risk of negative public opinion due to a third-party. Dissatisfied customers, inappropriate interactions, and poor recommendations are only the tip of the iceberg. The most damaging events are third-party data breaches resulting from poor data security, like Target’s 2013 data breach.
- Financial risk: The risk that a third-party will have a detrimental impact on the financial success of your organization. For example, your organization may not be able to sell a new product due to poor supply chain management.
- Strategic risk: The risk that your organization will fail to meet its business objectives because of a third-party vendor.
A recent example
Third-party service provider’s security incident compromised Washingtonians’ personal information
A security incident involving a third-party provider of hosted software services, which was used by the Office of the Washington State Auditor, might have exposed sensitive data belonging to Washingtonians.
This data includes personal information from about 1.6 million unemployment claims made in 2020, as well as other information from some state agencies and local governments.
“I know this is one more worry for Washingtonians who have already faced unemployment in a year scarred by both job loss and a pandemic. I am sorry to share this news and add to their burdens,” said State Auditor Pat McCarthy. “This is completely unacceptable. We are frustrated and committed to doing everything we can to mitigate the harm caused by this crime.
“I want to be clear: This was an attack on a third-party service provider. The Employment Security Department did nothing to cause this, and is not responsible in any way for this incident,” McCarthy said.
SAO has notified law enforcement and the Attorney General’s Office of the incident. SAO is also evaluating other tools and protocols for sharing data files in the future. To read the rest of the article :
If you want to learn how hackers think , you can read one of my earlier article :
How hackers steal your password : https://www.erdalozkaya.com/how-hackers-get-your-password/
Are you under attack : https://www.erdalozkaya.com/are-you-under-attack/
More details about FireEye hack
FireEye publishes details of SolarWinds hacking techniques : https://www.theregister.com/2021/01/19/fireeye_solarwinds_code/
Cisco hacked through SolarWinds as tech casualties mount: https://www.crn.com.au/news/cisco-hacked-through-solarwinds-as-tech-casualties-mount-559264
FireEye Discovered SolarWinds Breach While Probing Own Hack Read more at:
SolarWinds and FireEye Breached: What You Should Know: https://www.security7.net/news/solarwinds-and-fireeye-breached-what-you-should-know