NNT - New Net Technologies
Over the past five years, data breaches caused by third-party vendors have continued to increase in severity and frequency.
In fact, research found in the latest Ponemon Institute Data Risk in the Third-Party Ecosystem report claims that 59% of companies experienced a data breach caused by one of their third-party vendors.
Minimizing your chances of a third-party data breach is a tall order since much of it is out of your direct control. You can be operating with strict security controls in place internally, but if you don’t enforce those same rigid standards with your third-party vendors, there is no way to guarantee that your organization is safeguarded from attack.
But the big question remains – how can your organization prevent third-party data breaches? Here are five steps to follow to ensure compliance across your third-party vendors and reduce overall third-party cyber risk:
Would you really want to do business with anyone that could put your organization, or your customers, in jeopardy? Hopefully not. That’s why it’s important to evaluate any potential third-party vendors security posture before agreeing to do business with them. Make sure that you review the vendors vulnerability management program, understand what compliance frameworks the vendor is required to adhere to, and document all security technologies enlisted by the vendor to ensure proper protective measures are in place.
Secondly, you’ll want to start incorporating security standards and expectations into your vendor contracts. While this will not 100% prevent a third-party data breach, it will keep your vendors on their toes and hold them accountable to maintain stringent cybersecurity measures or risk having their contract terminated. Consider mandating that vendors wishing to do business with you adopt universal standards like the CIS Controls, for example, as these controls have been proven to help prevent up to 95% of cyber attacks. To help prevent any lingering security risks, consider adding terms and conditions to your contracts requiring vendors to notify your organization of vulnerabilities as they arise and to remediate security issues within 72 hours to help minimize potential risk.
Some of the most notable data breaches in history have occurred because proper least privileged access measures were not in place. Avoiding security mishaps with third party vendors requires your organization to only give vendors access to information that they need in order to fulfill their job – no more, no less. This concept of least privileged access will help significantly reduce the risk of third-party data breaches and protect sensitive company data by ensuring that vendors only have access to the data that the need for business purposes.
Give your organization peace of mind by validating the integrity of your vendors IT systems by uncovering any existing cybersecurity gaps or vulnerabilities prior to agreeing to do business with them. Once you’ve identified the weaknesses that exist, require these gaps and vulnerabilities to be addressed and remediated if they wish to do business with you. An initial assessment is helpful, but suppliers are always adding new assets and software to their environment, so you’ll need to continuously monitor their cybersecurity posture for any deviations.
An organization's cybersecurity posture can and will change, so it’s important for your organization to continuously monitor your vendor’s security controls over the entire relationship cycle. Organizations must require vendors to report on any significant events or changes that impact the security of company assets to reduce exposure and resolve security issues as quickly as possible. It’s especially helpful to have a solution in place that can help spot deviations to vendor’s hardened, secure environments and send alerts in real-time, such as NNT’s Change Tracker solution. Change Tracker allows you to reduce change noise by over 90% by leaving your organization with only genuinely suspicious, potentially malicious changes to review, significantly reducing unnecessary change noise.
Unsurprisingly, many of today’s most publicized breaches that have been disclosed in the last five years have been linked to third party vendor relationships, including Quest Diagnostics, Macy’s, and Marriot Group. The consequences of these breaches can have an adverse impact on your business – from reduced customer loyalty, to lawsuits and potentially devastating fines.
To prevent these security incidents, organizations must work collaboratively with their third-party vendors and understand their security measures inside and out, incorporate risk management into vendor contracts, adopt a model of least privileged access, and regularly monitor and remediate security vulnerabilities and changes to your vendors hardened, secure IT environment.