The Looming Threat of Third-Party Security Risks

A recent survey conducted by the Ponemon Institute underscores just how uneasy business leaders feel in regards to the security postures of third-party vendors and other business partners with which they share sensitive and confidential information. In addition to not knowing for certain if third-party vendors maintain strong IT security defenses, more than a third of businesses surveyed "do not believe their primary third-party vendor would notify them if a data breach involving sensitive and confidential information occurred."

The outlook grows even worse when contemplating subcontractors who work for third-party vendors and may also come in contact with confidential information. An alarming 73% of survey respondents did not believe a subcontractor to a third-party vendor would raise a red flag if they suffered a data breach.

Given the importance of making sure third-party vendors and their subcontractors maintain a strong security posture, we decided to examine the key findings of the Ponemon Institute survey and then present our viewpoints on how businesses should react.

Finding: Companies are not able to confirm if third parties have had a data breach or cyberattack involving their sensitive and confidential information.

Response: Traditionally, this information is kept private unless required to be included in a state-legislated breach notification. In many cases, businesses don’t even know what they are sharing with their business partners. Therefore, the small and medium vendor can’t be expected to have an understanding for what must be communicated to their business partner in the event of a breach.

What obligation does a vendor’s CISO or legal team have to notify business partners? In most cases, the contract between a business and its third-party vendor does not require notifications of a breach. Given that the companies likely don’t know what data they share, the likelihood that the third-party vendor does not know when they’ve been breached, and that the contract doesn’t require them to notify, it’s no wonder that businesses doubt they’ll hear from their third-party vendors when a breach occurs.

The third-party vendor may not even know who to notify. The fact that they’ve been breached doesn’t necessarily translate to a requirement to notify business partners, but even if they were required, how would they do it? Who would they tell? A good way to provide a point-of-contact during an incident is to give third-party vendors access to an online form as part of a vendor assessment program. The vendor can simply click to notify the vendee of a breach. A question—or a small series of questions—could be included in a regular (quarterly or monthly) assessment to ensure that this stays top-of-mind with the vendors.

Finding: Companies are not able to determine the number of third parties with access to their confidential information and how many of these third parties are sharing this data with one or more vendors.

Response: This is not surprising in that large enterprises have limited visibility into their vendor ecosystem—especially the small and medium businesses, where visibility if most certainly ZERO. So how can businesses tackle this challenge? Starting with the architecture of the HIPAA/HITECH Business Associate Agreement (BAA) provides a good model.

Healthcare organizations require third-party vendors to sign the BAA, which makes the vendors responsible for subcontractor partners. Third-party vendors must then require their subcontractors to maintain solid security postures in addition to maintaining their own security posture. But once the BAA is signed, it can be difficult to enforce; this is where the model starts to break down since the often-included right to audit is rarely invoked.

  Source:   Kaiser     Data Security Requirements      (Note: Opens a PDF in a new window)

  Source: Kaiser Data Security Requirements
  (Note: Opens a PDF in a new window)

Furthermore, no enforcement of the BAA is required by the covered entity (CE); the enforcement of the BAA liability is handled by the Health and Human Service’s Office of Civil Rights (HHS OCR). However, some covered entities (e.g. Kaiser) recognize that while a BAA protects a CE from a penalty imposed by the HHS OCR, they’ve elected to include an audit provision in their own BAA to further protect themselves.

Also worth noting is that this agreement, in its purest form, only applies to healthcare organizations. While it represents a decent starting point for a well-defined best practice, other industries do not have the same type of regulated protection.

To take on this challenge, it would be beneficial to see each third-party vendor’s relationship with the company as well as the relationships of all subcontractors such that the company can get a full supply-chain view with documented risk baselines up-and-down and across the entire supply chain. This would allow the business at the top of the chain to identify its downstream exposure. Of course, this starts with having a view into the first line of the supply chain. Businesses would do well to get that view first, since most can’t even paint that first-level picture.

Finding: There is a lack of confidence in third parties’ data safeguards, security policies and procedures and if their security posture is sufficient to respond to a data breach or cyber attack.

Response: This lack of confidence implies businesses don’t trust the security posture of their third-party vendors, and that’s probably because they can’t “see” these security postures. Traditionally, businesses rely on questionnaires, but they can’t easily verify the answers provided nor validate the policies and controls depicted by the responses.

To make progress in this area, businesses need to get their third-party vendors to agree to a security assessment as part of the master services agreement. From there, the business can enforce the vendor to adhere to standard security controls, implement the controls identified, and then report progress against those implementations. It’s important to establish a validated and verifiable risk baseline driven by externally-acquired and internally-performed technical assessments; this is the only way a business can “see” its risk with respect to doing business with that vendor.

Finding: Companies rarely conduct reviews of vendor management policies and programs to ensure they address third-party data risk. In addition, a lack of resources makes it difficult for organizations to have a robust vendor management program to manage Nth party relationships.

Response: It’s not because there isn’t’ risk there—a questionnaire alone is not sufficient, and onsite assessments don’t scale. There’s essentially an insurmountable problem with the tools businesses are using and the resources they are lacking to assess the risk of third-party vendors and their subcontractors.

Finding: Accountability for the correct handling of an organization’s third-party risk management program is decentralized. Similarly, no one department or function is responsible for ensuring that appropriate privacy and security language is included in all vendor contracts.

Response: Procurement teams and business leaders sign deals, but the security team doesn’t find out until after the deals are done. The legal team may not see the deals at all. Some vendors are paid via expense reports without any procurement process invoked, and therefore no inspection of the terms the vendor is responsible for. In most cases, the right hand doesn’t know what the left hand is doing.

This is the time and opportunity to enable the entire business, including security and legal teams, to collaborate. This holds true not just for onboarding new vendors, but also for mergers and acquisitions. IT security is often the last to know about these dealings, yet they are held accountable for identifying and mitigating the risk without knowing what the business has signed them up for. This needs to change if a company is going to properly mitigate its third-party risk.

If a vendor relationship involves a high-value data exchange, the vendor should be vetted—period. It doesn’t matter how big or small they are; they should have some form of assessment performed. Both small and medium businesses should be closely inspected as they likely have limited budget, resources, knowledge and ability to actually meet an acceptable security posture.

With this, a lightweight process that brings all third parties together into a single view—whereby baselines can be viewed and compared across vendors and industries—becomes critical. Every vendor must go through procurement, and a centralized risk-management program must be included as part of this process to ensure a risk baseline is met at each phase throughout the relationship.

Finding: Senior leadership and boards of directors are rarely involved in third-party risk management and often do not require assurances that third-party risk is being assessed, managed and monitored.

Response: This is something that’s likely to change very rapidly as clients and prospects in many industries are discussing the need for senior leadership to get involved in third-party risk management.

Standard operating procedures typically involve a heavyweight, inefficient system—either high-cost outsourced assessments, tedious resource-intensive on-site assessments, or both.

However, due to increasing interest from the board and the responsibilities—and the personal risk—of the people reporting to the board, the systems need to become more efficient. More vendors need to be assessed—more efficiently, more accurately, more frequently and more consistently.

A questionnaire, while important, is not enough. An external reputation score, while extremely valuable, is not enough. On-site assessments, while necessary for some vendors, can’t scale to cover all of the small and medium vendors—arguably the group of vendors that pose the most risk to the business.

To date, the Board of Directors doesn’t likely understand how this is going to get fixed because the scope and how it will happen has not yet been determined nor widely discussed in the information security and risk management market. But the impact of the risk has surpassed the threshold of what the board cares about, and its job is to help the company make good decisions, including those based on risk. The issue “Have we thought about third-party vendor security assessments?” is now a core topic being discussed in many boardrooms around the world.

The drive is there. Clearly the Board of Directors expects the CISO to determine the standard of care. But what has to change in the standard of care? CISOs need to point out that when the inefficiencies of the system come up, they will look for ways to overcome this challenge. Lackadaisical (good enough) management is no longer acceptable—if the current process doesn’t meet the baseline standard of care given the number of breaches that are occurring, then a scalable, cost-effective alternative must be employed.

Finding: Companies rely upon contractual agreements instead of audits and assessments to evaluate the security and privacy practices of third parties.

Response: Companies can rely on agreements and contracts if they exist, but if the details of the agreement are invalid, can the risk be accepted? Actually, this could be catastrophic.

Typically, everyone answers questionnaires—often a key element of the contract—the same way. So how does a business tell if a third-party vendor is doing a good job mitigating risk and holding a strong security posture, now and into the future?

SEC Cybersecurity Findings May Establish De Facto Standard

"Organizations should consider implementing the measures identified above as determined to meet specific company’s requirements and regulatory obligations (as in the case of 31 C.F.R. § 1023.320(a)(2)’s reporting requirement, for example). However, companies should be aware that industrywide adoption of discretionary measures could lend itself to establishment of a de facto standard of care against which potential liability may be measured in both the litigation and regulatory context. For this reason, firms choosing not to establish similar baseline minimum standards could potentially be held liable for loss if it is determined that a minimum standard of care exists."

Source: Law360

Those that have their third-party vendors sign an agreement may think they’re “done” and that it doesn’t matter if the vendor gets hacked. But the agreement should also ensure/validate a good security posture is in place, not just (hopefully) transfer the risk to the vendor. Furthermore, best practices aren’t a moment in time, they must be performed on an ongoing basis. As an analogy, consider the scenario where someone only brushes their teeth just before they go to the dentist—once or twice a year—they can’t expect to have a good set of choppers now, can they?

Instead of pushing the burden onto vendors that can’t absorb the burden, businesses need to take a more comprehensive approach:

  1. Ensure the security baseline of all third-party vendors is being met
  2. Insure against the resulting remaining risk/loss
  3. Focus on actionable risk mitigation
  4. Cover the rest in risk loss

Where Do We Go From Here

The inability to measure the security posture of third-party vendors and the inability to confirm whether they have suffered cyberattacks involving sensitive information serves as a wake-up call for all businesses. Taken as a whole, the findings of the Ponemon Institute survey call for businesses to search for processes and tools to help them deal with these challenges.

With all the rapid changes in technology, the impending threat landscape also means policies and controls will need to change over time. As your business seeks to assess the security posture of your third-party vendors, the assessment needs to extend to all the business relationships of your third-party vendors—sensitive data must be protected across your entire supply chain, not just at the handful of vendors you think hold the most risk.

Equally important, the assessment needs to be conducted on a regular basis to ensure that the security remains intact throughout the entire vendee/vendor relationship, not just at the time the contract was signed.

When you’re ready to look at this risk, be sure to identify a partner that has a vendor assessment program that can help your organization change the results for the better the next time Ponemon Institute conducts their survey.

Harry Wan

Harry Wan is the CTO and co-founder of Datum Security (DatumSec). Harry has successfully led engineering teams (large and small) as they built world-class security products at Symantec and Arbor Networks. Harry holds a CISSP and graduated with an Electrical Engineering degree from Cal Poly Pomona. Harry is also the current Secretary for the LA/SoCal Chapter of the Cloud Security Alliance.

More about Harry