Over the last couple of weeks, we’ve explored the steps a company’s leadership team should take to prioritize cybersecurity and how businesses can improve their cybersecurity strategy by enhancing their employee-level cyber protocols. In this third installment of the Attacking Cybersecurity from the Inside Out series and in conjunction with the launch of Buchanan’s online cybersecurity portal, the Buchanan BreachCoach®, we will explore what companies can do to diminish the cybersecurity threats posed by a third group: their outside contractors.
Visit Buchanan BreachCoach®, your one-stop portal for cybersecurity information and updates.
Your Friend Or Your Worst Enemy: The Risks of 3rd Party Contractors
According to PwC’s 2016 Global State of Information Security report, third-party contractors are the biggest source of security incidents outside of a company’s employees. In fact, the well-publicized Target hack of a few years ago was made possible thanks to system vulnerabilities of one of the company’s third-party contractors. The result was 40 million exposed customer credit card numbers and cost Target well into the hundreds of millions of dollars.
As we’ve said throughout this series, there is no cybersecurity silver bullet, but there are critical administrative actions company executives can and should mandate that are as important to thwarting cyber risks as technical IT protections such as firewalls and intrusion detection software. When it comes to cyber risk mitigation with third-party contractors, here are the straight A’s of best practices.
- Analyze Potential Third Parties’ Security Capabilities - Performing a risk analysis of a potential vendor is a necessary part of the vetting process. A company should establish upfront what kind of access the contractor will have to their system and make sure the company maintains full oversight of that access. A potential vendor who will have significant access to legally-protected or company confidential information should have a cybersecurity program that is certified by a reputable and independent certification organization. A vendor that has not obtained such a certification is not a qualified candidate, regardless of their capabilities and costs. The risks are just too great.
- Adopt Service Level Agreements - Before a company begins working with a third-party contractor, a service level agreement (SLA) should be created and agreed upon. An SLA is more than just a bare bones definition of the work to be done. It’s a company’s opportunity to demonstrate that cybersecurity is a priority and articulate what the vendor needs to do to meet the company’s security expectations. Spelling out specific security obligations is important to ensuring the third-party knows and fully understands what is required of them. This list of specifics should include information privacy, confidentiality and security representations, indemnity, internal risk analysis expectations, audit rights, breach notification requirements, cyber liability insurance and the parameters of network and data access controls.
- Assess Third-Party Vendors Regularly - Although the SLA should give the company the right to audit a vendor’s security, many companies are not in a position either to conduct a vendor audit or engage an independent expert to do it for them. Requiring a current independent security certification is a reasonable way for the company to have confidence that its vendor is maintaining appropriate security measures. A company should also establish an internal list of “triggers” – actions that, if perpetrated by the third-party vendor, prompt a closer review of the vendor’s security measures. Triggers are actions that are symptomatic of an organizational problem, such as a performance issue or indication of financial distress, that could signal the development of a cybersecurity risk.
Establishing and monitoring a company’s own cybersecurity program is one challenge; ensuring that each of a company’s third-party contractors is doing the same is another. By following the steps outlined above, every company can be best prepared to mitigate third-party cybersecurity threats. These steps, along with those outlined for employees and executive management, come together to form the strongest trio of defenses any company can have when it comes to cybersecurity.
In our next and final installment in the series, we will take a look at the real costs to a company – financial, reputational and operational – of a cyber breach.