Managing third-party service provider risk
Strengthening supply chain security
When we think of supply chains, what now comes to mind is an interconnected web that extends and branches in every direction. With digital services such as cloud providers in the mix, we’re now talking about a multi-faceted ecosystem to run your core business. Securing your supply chain is paramount. In fact, research from the Ponemon Institute found that the average organization has given 471 third parties access to sensitive information. What’s more, each third party has its own complex web of suppliers.
So while you may have invested greatly in cybersecurity controls and are confident about your company’s own security safeguards, you need to take a close look at your vendors, especially those who can access your network or data (e.g., billing and payment vendors, electronic health record platforms, website host servers, cloud service providers, etc.).
The usage of third-party service providers could introduce a security risk to your business. Third-party developers, for example, might leave source code on public repositories, “development” or “test” data that was not properly sanitized may exist on unprotected database servers, or a security issue that occurs in their environment may have catastrophic downstream impacts to your ability to conduct business.
How can you mitigate service provider security risk?
Reliance on a service provider of any type requires a company to be very diligent in ensuring that the provider has a well-defined Security Program that includes periodic penetration testing using attack scenarios that includes simulated access to a customer environment. For your own company, you should be doing the same and make sure the scope includes the simulated access to your service provider’s connection. What are additional security steps to take?
• Schedule regular backups of all your business critical systems and applications, and make sure that these backups include applications both onsite and in the cloud.
• Perform scenario-based table top exercises and include your service provider in the scope. Having them participate will go a long way for both of you to truly understand how best to coordinate should an attack occur.
• Incorporate your table-top exercises into your Incident Response Plan (IR). Your IR plan should be well communicated and updated no less than annually. As we never know when an incident will occur the best time to create the plan is NOT during an incident.
• Also consider having an IR firm on retainer. In many cases these firms are contracted through your Cyber Risk Insurance Policy Carrier. If you have not done so, you should contact the carrier and determine the role of engaging an IR firm.
• Stand by your requirements: Only seek out the service providers that have already adopted these security practices.
In one headline example of a data storage breach, attackers infiltrated a third-party web application, accessing the company’s trove of personal data belonging to more than 147 million people. In another infamous third-party attack on a global retail giant, hackers presumably executed their dirty work through an HVAC contractor.
Re-assess your third-party risk management program
Now may be a good time to take another look at how your company or organization is managing third-party risk in general. Some best practices include the following:
- Security awareness and training
- User account management
- Connectivity agreements that hold the vendor accountable
- Auditing requirements
- Annual self-attestation by the vendor of risk management measures
- Third-party assessment reporting
- Adding a virtual sensor (in some cases) to vendor network to analyze its logs
- Using separate VPN for vendors that need remote access (if allowed) continuous network monitoring (e.g., by IronNet’s Network Detection and Response solution IronDefense)
Discover how to strengthen supply chain security in IronNet's latest white paper.