Third-party vendor data breaches are becoming an epidemic for organizations that themselves have solid information security programs. The Ponemon Institute has proven year over year in its survey that the cost of third-party data breaches increases with each survey. Many struggle with how exactly to hold third-party vendors accountable and enforce the same rigid standards and controls that they consume internally. The big question is: how do organizations prevent third-party vendor data breaches? There are several tactics an organization can leverage in order to ensure shared compliance by third parties and reduce overall third-party risk.
- Audit third-party vendors for compliance.
- Require proof of third-party vendors’ cybersecurity program.
- Adopt a least privileged model for data access.
- Adopt the Zero Trust network and data model.
Audit the Third-Party Vendor for Compliance
Many third-party vendors are not open to being audited by partners. If your third-party vendor is resistant to a third-party audit, you must ask yourself; do you really want to do business with them and put your organization at risk? Auditing is a natural practice of verifying that an organization is doing what it says it is going to do from a risk and cybersecurity perspective. Requiring an audit of a third-party entity should be paid for by the organization requesting it and needs to be as low impact as possible so as not to impact the company’s ability to conduct business. The audit should look at how effectively the organization is executing against its security compliance framework. Also, make sure that the audit looks for indicators of compromise or failed past audits.
Require Proof of the Third-Party Vendor’s Cybersecurity program
Proving that the third-party vendor has an information security program is only half the battle in the fight over third-party breaches. Risk management must be proven by reports and assessments showing without a doubt that the basics of a vulnerability management program are implemented and ongoing. Make sure to ask for the most recent results from risk assessments, penetration testing, and compliance frameworks. It is critical that the third-party organization have a robust risk management program and that they themselves also have a supply chain risk mitigation strategy.
Adopt a Least Privileged Model for Data Access
The third-party data breaches of the past have one thing in common; third-party entities were provided with more access than they needed. Imagine if your third-party entities were only given the access they needed at the time that they needed it. Least privileged access is essential in order to prevent data breaches and protect sensitive data. It is difficult to breach something that an attacker does not have access to through stolen credentials or vendor VPN tunnel. Least privileged access is the cornerstone of third-party risk management.
Adopt the Zero Trust Network and Data Model
When your network flows are mapped, authenticated, and encrypted – security magic happens. Cyberattacks are unable to steal data or move laterally through an environment when zero trusts are implemented. Zero Trust is an information security framework which states that organizations should not trust any entity inside or outside of their perimeter at any time. It provides the visibility and IT controls needed to secure, manage and monitor every device, user, app and network being used to access business data. It also involves on-device detection and remediation of threats. This is especially useful for third-party risk and to prevent cyberattacks. Authenticated flows should be bolstered with multifactor authentication to prove that the user is who they say they are by validating something that they have, something they know, and something they are (biometrics). Encrypted communications and data ensure that only the right people have the right access to the right information at the right time.
Preventing third-party data breaches is a tall order. Attackers target credit card data, social security numbers, and personal information. It is difficult to enforce third-party compliance in many cases since your organization often does not have control over what the third party does. It really comes down to the level of risk an organization is willing to accept. If the third party is the only one in the industry that is able to supply the demand your organization has, it becomes challenging to enforce a third-party vendor risk program.
That said, there are several options for an organization to apply the proper pressures to shape the overall supply chain risk program for itself and others. Coming to a third-party vendor with a well thought out risk management plan is a great start. Most organizations know enough security basics like protecting against malware, ransomware, and phishing. The real challenge comes when organizations decide what will be shared between them. Thinking security first when pursuing a third-party vendor relationship will ultimately lead to the prevention of third-party data breaches.