April 21, 2023
In today’s interconnected world, organizations of all sizes commonly rely on third-party vendors for various products and services.
These vendors are often granted access to sensitive data and critical systems, making it essential for organizations to ensure their cybersecurity policies are aligned with their third-party vendors.
Criminals know third-party vendors often provide the weak link necessary to infiltrate an organization’s network.
The consequences of a security breach or a data leak can be devastating – not only for the organization but also for its clients and customers.
Cybercriminals continually modify and create new attack vectors that could expose an organization to various enterprise risks – including financial, operational and reputational harm.
Therefore, it’s important for businesses to align their cybersecurity policies with third-party vendors, as well as provide strategies that can be employed to secure the supply chain.
Working together
A proactive approach to supply chain security can help ensure both groups work together to protect sensitive information and assets from cyber threats.
In recent years, there have been several high-profile data breaches that were caused by third-party vendors’ security lapses.
One such example involves Accellion, Inc., recently rebranded as Kiteworks, which is a third-party vendor that provides file-sharing services for large or sensitive data files.
In late 2020, and continuing into 2021, hackers exploited vulnerabilities in Accellion’s File Transfer Appliance, resulting in numerous data breaches affecting dozens of government and private organizations, in multiple countries.
According to Reuters, Accellion has recently reached an $8.1 million settlement agreement to end litigation over the breach (Stobbe v. Accellion Inc.) – several of Accellion’s clients are still facing litigation over alleged lapses in data security.
As this example illustrates, the more enterprises rely on interconnected devices, endpoints and platforms, the more they expose themselves to potential attacks that exploit third-party equipment or software.
While it may be necessary to employ third-party vendors to increase the growth and efficiency of an organization, it is equally necessary to develop a comprehensive approach that establishes meaningful guidelines regarding cybersecurity.
Established expectations
One of the most significant benefits of establishing cybersecurity expectations with vendors ahead of time is it helps create a culture of awareness and collective responsibilities related to the integrity of the shared supply chain.
It can ensure vendors are aware of the security risks they may face and are taking the necessary steps to protect themselves and their clients.
A shared cybersecurity mindset can help ensure vendors are accountable for their part in maintaining a high level of security.
This process may also help streamline the selection and management of third-party vendors by ensuring they meet the same security requirements as the primary organization, saving time and resources.
In addition, aligning cybersecurity policies with third-party vendors can help mitigate the risk of cyber threats.
Cybercriminals are becoming increasingly sophisticated in their attacks, and it’s important for organizations to be proactive in protecting their assets.
It is important to note cybersecurity policies should not be a one-size-fits-all approach.
Different vendors will have different security requirements based on the services they provide, the data they handle and the systems they use.
Therefore, it is important for organizations to work with their vendors to create tailored cybersecurity policies that meet their specific needs.
There are things businesses can do to help ensure their cybersecurity policies align with third-party vendors, including:
Develop risk management policy
It is a good idea for organizations to develop a comprehensive risk management policy that outlines the necessary cybersecurity standards vendors must meet to be eligible for business partnerships.
These standards should be aligned with the organization’s own policies and regulations. Examples of this include:
Applying role-based permissions to access applications and infrastructure.Regularly identifying and patching product vulnerabilities.Participating in tabletop exercises designed to rehearse incident response procedures.
Consideration should be given to including these requirements in contractual agreements that outline the vendor’s responsibilities for protecting data and complying with cybersecurity policies.
Conduct thorough risk assessment
Before engaging with any third-party vendor, organizations should conduct a thorough risk assessment, which includes an analysis of the vendor’s security practices, data handling procedures, access controls and employee training programs.
These standards should conform to industry standards and best practices.
If weaknesses are identified, evaluate their likelihood and potential impact and make necessary adjustments.
Provide training and support
Organizations should provide ongoing training and support to their third-party vendors to help ensure they understand the organization’s cybersecurity policies and best practices.
This training should be provided at all levels of an organization and should include how to identify and respond to potential security threats.
Develop incident response plan
This plan should encourage prompt reporting and outline the steps to be taken in the event of a security incident.
An effective response plan includes established communication channels and defined roles and responsibilities for the containment, investigation and resolution of an incident.
Perform continuous monitoring
Ongoing monitoring and regular audits are important to help verify vendors’ compliance with organizational needs and expectations.
This monitoring may include regular security audits, vulnerability assessments and compliance checks.
Maintaining clear and open lines of communication during this process is essential.
A significant security breach or data leak has the potential to substantially damage an organization’s reputation or financial well-being.
When an organization outsources services to third-party vendors, they are entrusting them with sensitive data and critical systems, that if successfully attacked, could result in significant harm to the organization.
It is important for organizations to take a proactive approach to align their cybersecurity policies with their vendors and regularly monitor those policies to ensure compliance and adapt to new threats.
This alignment helps ensure both parties are working together to maintain a high level of security and creates a culture of accountability shared by all parties involved.
By confirming their third-party vendors have strong cybersecurity policies and measures in place, organizations can reduce the risk of a security breach.
Detective Eric Edson is a 29-year veteran of the Sheboygan Police Department. In his role, Edson is responsible for investigating major crimes, which include financial crimes and fraud.