A survey conducted by Secure Link and the Ponemon Institute on third-party risk management found that 51% of respondents attributed recent data breaches to a third-party vendor - be it directly or indirectly. Many organizations view third-party party remote access as a security threat, but not a priority and therefore do not take the necessary steps to reduce third-party remote access risk, and, as a result, expose their networks to security and non-compliance risks. The same study found that 54% of organizations are not monitoring the security and privacy practices of third parties that they share sensitive or confidential information with on an ongoing basis.
Your organization should be evaluating the security of all third-party vendors, service providers, and other parties to ensure they aren't putting your network at risk. You may be confident in your own security but a third-party vendor could make you vulnerable. After all, we’re only as strong as our weakest link.
Start with Yourself
Implementing proper security measures within your organization can significantly reduce the risk of a breach and mitigate the impact if one was to occur. Consider a multi-layered defense strategy that covers all endpoints and devices within your organizational structure and remember that your staff is your first line of defense. In addition to annual employee training implement a data security policy for all employees. Employing encryption for your files in transit, on the network, and even in the cloud will help protect your data from prying eyes and keep that data secure if a breach were to occur. Utilizing these additional security measures means being compromised by a third-party vendor becomes less likely.
Create an SLA
Creating a Service Level Agreement (SLA) or business agreement is key to ensuring that your third-party vendors uphold the necessary security standards. Having an SLA with vendors reinforces your security needs and holds them legally responsible if a breach occurs due to their own negligence or fault (if included in your contract). Such agreements may also require them to participate in audits. Thoroughly assess your organization's security requirements and be sure to include these in your SLA.
Limit Vendors Access to Your Network
Bomgar conducted a survey on the security risks associated with third-party vendors, they found that 44% of those surveyed reported an ON/OFF approach to vendor access, rather than utilizing varying access for vendors. This is scary news, without access controls for vendors, all vendors have access to your entire network, increasing the impact of a breach if one were to occur. Privileged access management is critical in protecting your organization’s network and should be customized so every vendor is granted access based on their roles. Vendors should only be given access to programs and data they need to complete their job. Access should be reviewed regularly and modified to reflect changes in vendor responsibilities. Employing a multi-layered security approach with network segmentation ensures that if a breach occurs other areas of the network are protected.
Third-Party Policies and Enforcement
To reduce the risk of a data breach third-party vendor policies should be reviewed regularly, and kept up to date taking into consideration emerging security threats. Policies are meant to be enforced, if your organization isn’t enforcing its security policies you’re establishing a precedent with vendors that your rules need not be adhered to. This can result in a precarious security situation where rules are disregarded and your network becomes vulnerable unbeknownst to your team.
Audit, Audit, Audit
Include an audit in the terms of your SLA with all vendors, this ensures all third parties will know their obligation to participate, understand their role in maintaining security and encourage their preparation. Having an agreement to meet certain security guidelines isn’t enough, all vendors must be audited to establish their compliance. Considering most data breaches are due to third-party vendors, audits should be taken seriously. Issues an audit may uncover are an important step in establishing a stronger network and mutually beneficial vendor/client relationship. If an organization fails to meet your security needs, the relationship may need to be reconsidered.