It has been almost four years since the massive Target data breach. Astoundingly, managing third-party risks still does not command the vigilance it should in all too many organizations.
The latest proof: ten states neglected to vet America’s Joblink Alliance, the contractor behind the Joblink nationwide data base for job seekers. So by cracking into Joblink, an attacker gained access to Social Security Numbers and birth dates for citizens in Alabama, Arizona, Arkansas, Delaware, Idaho, Illinois, Kansas, Maine, Oklahoma, and Vermont.
You may recall how Target lost 40 million credit cards via a hack routed through an HVAC subcontractor. Target was supposed to be the third-party risk wakeup call of all time. Yet since that milestone 2013 data breach, third party exposures have continued to multiply much faster than businesses have been moving to address them.
Some 75% of the IT professionals recently surveyed by the Ponemon Institute acknowledged that the risk of a breach from a third party is serious and increasing. And another survey of senior executives by Soha System’s Third Party Advisory Group linked 63% of all data breaches directly or indirectly to access granted suppliers and contractors.
The problem stems from the rising role of specialized IT services and the rising popularity of outsourcing. More intensive use of data-related services, delivered by specialists, translates directly into more IT risk.
The issue has become so worrisome that a number of state regulators have begun to take action. At least four states have moved to imposed some form of departmental cybersecurity rules on businesses, led by New York, which now requires financial companies to certify that they’ve addressed, among other things, third-party risks.
As the Joblink hack demonstrates yet again, third-party risk can rear its ugly head anytime an outsourcing relationship involving network access exists. This is an exposure that encompasses companies of all sizes and in all sectors, cascading down through each tier and sub-tier of vendor relationships.
“This is an issue that all companies who rely on third party service providers to help them deliver goods and services need to be concerned about,” says Brad Keller, senior director of third-party strategy at Prevalent, a risk assessment consultancy. “And if you’re a third party provider, you can expect that your clients, more and more, are going to expect you to mirror their third party risk programs.”
Keller outlined three fundamental steps to begin addressing third party risks:
This seems all too obvious: companies need to start by compiling a comprehensive list of all suppliers and contractors, along with the specific services each provides, Keller says.
“I continue to be amazed, in this day and age, how many companies cannot provide such a list,” he says. “They just have not done it. I’ll go in and say, ‘Who are all your vendors?’ And someone will say, ‘I don’t know. I guess there’s a list somewhere in procurement.'”
Keller recommends starting in the finance department. “Accounts payable is really a fertile source of finding vendors you did not know about, because nobody works for free,” he observes.
The next step is to rank all of your vendors by the level of access they’ve been granted to your network – and also the importance of the service they provide. A vendor who supplies garden-variety marketing fliers doesn’t need deep access and can be easily replaced. But it would take time and effort to replace the hosted services vendor whom you rely on to supply processing power to run mission critical systems, Keller notes.
In addition to reducing third party exposures, risk rating is a useful exercise that can provide more operational clarity. “It’s difficult only because people haven’t done it,” Keller says.
Ultimately, due diligence must be performed with respect to key contractors. Does the supplier adhere to network security best practices? “In risk terminology, you’re now down to assessing the residual risk that’s left over — by finding out how well those companies protect your data in the system,” Keller says.
Out of this process can come informed decisions about whether to accept how the third party supplier operates, or to request specific improvements. Or it may be time to find a more security-conscious vendor.
“Companies need to take a broad look to determine all of the places outsourced risk could strike,” Keller says.
I agree. It is high time to do so.