Third-Party Security Vetting (Part 1)
Cybersecurity Awareness – By Ron Frechette, The Cyber Coach
If you own or operate a small-midsize business (SMB), chances are you recently received a cybersecurity questionnaire from at least one of your clients asking numerous detailed questions about the security posture of your organization. If you haven’t yet, rest assured you will be receiving one in the very near future. We have seen a dramatic increase for these requests over the last six months and the trend seems to be moving towards a common security best practice for many organizations as we move further and further into the Digital Age.
What is driving the demand for third-party security questionnaires and why are companies using them as part of their vendor selection (or deselection) and risk management process? We will tackle this issue in a two-part series over the next couple of months. This is an extremely important topic and we hope you find this information valuable from a personal and professional perspective.
Third Party Data Breaches on the Rise
Over the past decade, a majority of enterprise companies have invested millions of dollars in building highly secure and compliant infrastructures to avoid the risks of data theft, lawsuits, penalties for non-compliance and of most importance, brand damage. This has obviously made it more time-consuming and difficult for cyber criminals to gain access. Third-party providers that large companies engage to perform services often require access to their networks and systems.
Many of these third-party service providers have developed long standing relationships with their larger clients and are considered “trusted partners.” The topic of cybersecurity has been overshadowed by higher priorities (like profitability and ROI). The fact is the majority of small-midsize businesses have not been hard-pressed to adhere to strict cybersecurity mandates until recently and are in the early stages of building sound and mature cybersecurity programs.
Cyber criminals are well aware of this which has caused them to shift their attack vectors towards third-party providers in an effort to gain access to larger infrastructures. The Target Breach is a prime example.
2018 Third-Party Ecosystem Risk Study
Opus and the Ponemon Institute conducted a study in 2018 that surveyed more than 1,000 CISOs and other security professionals across the US and UK. The primary objective was to understand the challenges companies face in protecting sensitive information shared with third-party vendors. Some of the key findings revealed the following:
- 61% of US companies said they experienced a data breach caused by one of their vendors or third parties
- 50% are unaware if supplier safeguards put in place are effective
- 22% of respondents admitted they didn’t know if they’d had a third-party data breach in the past 12 months
- 75% of organizations believe that third-party cybersecurity incidents are increasing
- 16% attested they effectively mitigate third-party risk
These findings have put larger companies and their security auditors on high alert which is causing them to scrutinize the security practices of their current and future third-party providers. Third parties include any company whose employees or systems have access to a companies’ systems or data (e.g. managed IT service providers, law firms, email providers, web hosting companies, subsidiaries, vendors, sub-contractors).
Top 10 Questions Asked in a Third-Party Security Questionnaire
Having a formal cybersecurity program in place that is documented is the best way to respond to your clients when you receive a third-party security questionnaire. The common questions you will find include:
- Do you have an Information Security Policy and how often is it updated?
- Do you have an Information Security Officer that is qualified for the role?
- Do you conduct annual Security Risk Assessments?
- Are you conducting annual vulnerability/penetration testing of your network?
- Do you have an Access Privileges Policy?
- Do you have a Third-Party Service Provider Security Policy?
- Do you perform annual security awareness training with executives and employees?
- Is your data encrypted in transit and at rest?
- Can you provide a copy of your Disaster Recovery and Business Continuity Plan?
- Do you have an Incident Response Plan and is it tested and updated annually?
In closing, third-party service providers that can answer yes to these questions and provide the documentation to support that the security controls are actually in place will minimize the risk of losing long standing clients and most likely have a leg up on their competition for winning future business. There are several cybersecurity advisory firms that can support companies through this process if they do not have the internal resources.
Until next month, wishing you a safe and secure journey in cyberspace!
Questions? Send me a tweet: @GoldSkyRon or email: firstname.lastname@example.org