1 (888) 836-6463 CONTACT US

Include Vendor Cybersecurity into Your Cybersecurity Plans

Oct 11, 2017 by Lisa-Mae Hill, CTPRP

October being National Cybersecurity Awareness Month reminds us to take a look at vendor cybersecurity.

When addressing cybersecurity, one area that is often overlooked is the cybersecurity measures your vendors have in place to protect your data. Many organizations are now outsourcing significant areas of their business including data storage, software, data processing and infrastructure. 

Part of developing a cybersecurity strategy needs to include managing these vendors to ensure they don’t become your weakest link. You could have the most comprehensive cybersecurity procedures in place, but if your vendors aren’t doing the same, your plan is as weak as theirs.

Vendor Cybersecurity Stats

Let’s look at some vendor cybersecurity data from the news.

Vendors have played a strong role in some of the most well-known breaches, such as:

Here are a few reports/studies that show the risk vendors contribute:

  • According to a 2017 report from Beazley, an insurance company, 30 percent of breaches were caused by employee error or data breached while controlled by third party suppliers. Read the report here.
  • A survey by Soha Systems (acquired by Akamai) says 63 percent of breaches were linked to vendor access. Read about the survey here.
  • A study, sponsored by BuckleySandler and Treliant Risk Advisors and independently conducted by Ponemon Institute, shows the lack of trust in vendors – specifically indicating that 37 percent of respondents don’t trust their vendors to notify them of a breach. And, 73 percent don’t trust their other parties (fourth parties, fifth parties, etc) to notify them. Read the study here.

The point of all this – vendor management is key in ensuring that your vendors are not only fulfilling their contractual service obligations but also protecting the information you are giving them or they are storing and processing for you. 

Entrusting a third party with your valuable information comes with risk and the best way to mitigate that risk is ensuring they have strong vendor cybersecurity plan in place. 

4 Areas to Judge Your Vendor on to Ensure Proper Data Safety

  • Testing: The way your vendor tests its own security posture and addresses vulnerabilities can be helpful in indicating how serious they take cybersecurity.
    • Does your vendor perform annual security testing such as internal and external vulnerability testing, penetration testing and social engineering testing? These types of testing help ascertain the organization's level of vulnerability to different types of exploit. Critical and high-risk vulnerabilities that are found need to be addressed as soon as possible and organizations should always be looking for lessons learned and mitigations for future incidents.

  • Protection: Pay attention to how your vendor protects data from destructive forces and from the unwanted actions of unauthorized users. Destructive forces can be data breaches, theft or intentional unauthorized release.
    • Things like encryption, well-documented and tested Data Retention and Destruction policies, and Data Classification and Privacy policies are all indicative of a solid and mature Sensitive Data Security program.

  • Employees, Contractors and Fourth Parties: Another area often overlooked is how your vendor ensures their employees, contractors and third-party vendors (your fourth parties) are prepared to protect data.
    • Confidentiality agreements, data security training and managing what employees, contractors and third parties have access to are all ways a vendor can ensure proper protection. Evidence, such as Confidentiality Agreements, Security training, Management of Vendors and Access Management, are just some of the ways a vendor can offer assurance that anyone with access to your data is properly trained.

  • Incident Detection and Response Plan: Incidents can happen at any organization and that’s why your vendor’s Incident Detection and Response plans are crucial. An incident can be anything that effects the confidentiality, integrity or availability of information or an information system. This could be a data breach, a targeted phishing email attack or a denial of service attack on your vendor’s service offering.
    • Make sure you know what their plans are and that they meet your needs.

Even the best vendor cybersecurity and overall cybersecurity plans can’t protect an organization against all attacks. But, they protect you against the majority of the cyber risk. For more vendor cybersecurity tips, download our infographic

Preparing for Vendor Cybersecurity in 2017
Lisa-Mae Hill, CTPRP

Written by Lisa-Mae Hill, CTPRP

Lisa-Mae is an experienced cybersecurity analyst with experience in both the private and public sectors. She has held the role of Subject Matter Expert and Information System Security Officer for a government based contractor and has extensive experience in Certification & Accreditation, CIS Critical Control Implementation and Auditing, Security Assessments and cybersecurity Policy. She has a Bachelor’s degree in Information Technology Management from State University of New York Delhi paired with many hours of additional cybersecurity and industry related training. She is also a Certified Third Party Risk Professional (CTPRP).

Follow Lisa-Mae Hill, CTPRP

Subscribe to the Venminder Blog