A survey conducted by Soha Systems on third-party risk management found that 63% of all data breaches were attributed to a third-party vendor. The same study found that only 2% of respondents consider third-party access amongst their top IT priorities. This study highlights how third-party access is clearly a significant risk and how the risks are being underestimated by organizations.
Your organization should be evaluating the security of all third-party vendors, service providers, and other parties to ensure they aren't putting your network at risk. You may be confident in your own security but a third-party vendor could make you vulnerable. After all, we’re only as strong as our weakest link.
Start with Yourself
If proper security measures are taken within your organization you will reduce the risk of a breach and mitigate the impact of a breach if one was to occur. Your organization should put in place a multi-layered defense strategy that covers the entire organization, meaning all endpoints and devices. Staff are your first line of defense. Employee training should be repeated annually and a data security policy put in place for all employees. Employing encryption for your files in transit, on the network and even in the cloud will help protect your data from prying eyes and keeps that data secure if a breach were to occur. By utilizing these additional security measures your organization is reducing the chances of a third-party vendor compromising your network.
Create an SLA
Creating a Service Level Agreement (SLA) or business agreement is key to ensuring your third-party vendors are upholding necessary security standards. Having an SLA with vendors reinforces your security needs, holds them legally responsible if a breach occurs due to their own negligence or fault (if included in your contract) and may require them to participate in audits. Assess your security requirements and be sure to include these in your SLA.
Limit Vendors Access to Your Network
Bomgar conducted a survey on the security risks associated with third-party vendors, they found that 44% of those surveyed reported an ON/OFF approach to vendor access, rather than utilizing varying access for vendors. This is scary news, without access controls for vendors, all vendors have access to your entire network, increasing the impact of a breach if one were to occur. Privileged access management is critical in protecting your organization’s network and should be customized so every vendor is granted access based on their roles. Vendors should only be given access to programs and data they need to complete their job. Access should be reviewed regularly and modified to reflect changes in vendor responsibilities. Employing a multi-layered security approach with network segmentation ensures that if a breach occurs other areas of the network are protected.
Third-Party Policies and Enforcement
In 2016, Bomgar found that 45% of those surveyed hadn’t reviewed their policy around third-party access in the last two years and only 51% said their organization enforces policies around third-party access. To reduce the risk of a data breach third-party vendor policies should be reviewed regularly, and kept up to date taking into consideration emerging security threats. Policies are meant to be enforced, if your organization isn’t enforcing its security policies you’re establishing a precedent with vendors that your rules need not be adhered to. This can establish a precarious security situation where rules are disregarded and your network becomes vulnerable unbeknownst to your team.
Audit, Audit, Audit
Include an audit in the terms of your SLA with all vendors, this ensures all third-parties will know their obligation to participate, understand their role in maintaining security and encourages their preparation. Having an agreement to meet certain security guidelines isn’t enough, all vendors must be audited to establish their compliance. Considering most data breaches are due to third-party vendors, audits should be taken seriously. Issues an audit may uncover are an important step in establishing a stronger network and mutually beneficial vendor/client relationship. If an organization fails to meet your security needs, the relationship may need to be reconsidered.