Security Risk Assessment of Your Vendors and Yourself

 
 

If your organization works with a bunch of suppliers that have access to your network or servers, then you are probably concerned about the level of risk created by their access. If not, perhaps you should be.

Why? As one example, your organization may have a telecom provider that has remote access to service the phone or voicemail system, or your facilities provider may have access to monitor your HVAC system. In fact, these types of vendor relationships have been the cause of numerous high-profile breaches. The Target breach from 2013 was the result of stolen network credentials from an HVAC vendor. The Home Depot breach from 2014 stemmed from stolen vendor credentials. The CVS Photo breach in 2015 was a result of their vendor, PNI Digital Media, being compromised by malware. These are only a few of the many publicly-announced breaches resulting from third-party vendor security lapses that continue to occur year after year.

As security professionals, we know that we need to manage the risk that vendor access creates. We have vendor risk management processes that include a number of facets, with one of the most revealing being an assessment of their security controls. However, if we have many vendors -- some big organizations have thousands -- then evaluating the controls for most, let alone all, of them can be impractical. Plus, there's the issue on how to effectively measure the security controls on suppliers that don't have full IT or cyber security teams.

There needs to be an effective way of assessing these providers, so that you can make appropriate risk-based decisions on how to limit access or whether to deny it altogether. I foresee the industry moving towards a rating system where organizations wanting remote access to company resources will have to display their cyber security letter grade. Something akin to how restaurants in some cities have health department mandated letter grades for their cleanliness. I would be wary of eating at a restaurant that doesn't have an 'A' rating. I might be ok with a 'B' if I know why they didn't get an 'A', but I'll never eat at anything with a 'C' or lower. This same system could be in the future for allowing IT access to vendors. Would you allow VPN access into your network to a vendor that has a 'C' security rating?

So, how do we get this security rating for all of our vendors. What we want is for each of them to perform network and endpoint vulnerability assessments and to provide us with summary reports. . . on a regular basis. DatumSec is stepping in to solve this need. DatumSec’s offering is a low cost, third-party risk assessment solution that measures, collects and compares the evaluations from all of your vendors in a single screen. Your on-board process for new vendors could require that they subscribe to the DatumSec service, schedule the scans to run and then electronically submit the summary reports on a recurring basis. On your end, you get an aggregated view of each vendors' risk rating. The vendor also gets to see their ratings so that they can address issues, like unpatched systems, outdated applications with vulnerabilities or weak passwords. They get more secure and your risk becomes more manageable.

The same DatumSec scans can also be used on your own enterprise, so that you are leveraging the same solution to discover and measure your own vulnerabilities. I'll cover this more in my next article.


Gary Landau

Gary Landau has been leading IT and information security teams for over 25 years as part of startups as well as large global organizations. He is passionate about continuously improving system reliability performance and security. Mr. Landau has an MS in Computer Science, numerous technical certifications such as CISSP and CCNP, and is one of the founding board members and past President of the LA chapter of the Cloud Security Alliance.

More about Gary