One of the most often overlooked security holes in many companies is through third party providers. Companies may have a comprehensive security policy in place for their internal networks, with provisions for mobile devices and a great data loss prevention strategy, but may leave themselves wide open when it comes to the third party security. Continuous monitoring of third-party security vulnerabilities and threats is essential for effective vendor risk management.
Recently, we have seen numerous breaches in such large corporate environments as Target, Goodwill, Home Depot and many more. The scary thing is that all of these breaches have been, at least in part, caused by third-party vendors.
Similar breaches are all too common in communication and internet technology. For instance, AT&T, a major communication player, recently disclosed that its customers’ information was compromised by a third party vendor, which allowed the service provider to access confidential information such as Social Security numbers and birthdates of its customers.
In a recent paper by Raither and Ganow (Attorneys with Faruki, Ireland & Cox), it was noted that the protection provided by things such as firewalls and strong passwords simply weren’t enough in this day of increased access points and third party suppliers. They suggest that companies put into place a comprehensive third-party security contract system that ensures third-party vendors take appropriate actions to secure important data.
Another study by Forrester Research for security rating company BitSight Technologies revealed that when it comes to tracking third-party risk, critical data loss or exposure and the threat of cyber-attacks rank as the top concerns. These concerns even ranked above actual delivery and quality of services. This shows that many companies are realizing the risks involved with third party contractors and are finding ways to combat these risks in order to minimize breaches and possible cyber-attacks.
This research also reveals that most IT security professionals agree that continuous third-party monitoring has had a major effect on companies’ security effectiveness in areas such as event identification, remediation and response times.
Raether and Ganow recommended that companies require third-party contractors and suppliers to comply with the same security policy that is in place within the corporation and that companies should retain the right to monitor and audit those third parties for compliance.
MacDonnell Ulsch, CEO and chief analyst at ZeroPoint Risk Research, wrote in SearchSecurity that third party vendors or affiliates of third party vendors are almost always involved in security breaches and attacks on data. Therefore, he writes, it becomes imperative that companies take third party security very seriously as well as taking necessary steps to prevent breaches of crucial data by third party vendors and service providers.
By taking an active role in third party security, companies can better equip themselves to address possible security breaches before they happen. It’s too easy to be complacent and believe that the third party vendors and/or providers are actively safeguarding your company’s data.
If you want your company to be truly secure from breaches of data, your IT must be on top of third party security right from the start and not assume those third party vendors or service providers are the ones who are going to be on top of it. This is just common (business) sense.