“Your cybersecurity is only as good or bad as that of your vendors.”
By 2019, the cyber security market will be worth a mammoth $155.74 billion. The market for next generation security appliances like firewalls could be worth between $15 billion to $20 billion over the next three years. These big numbers reflect the dawning realization on businesses about the need to fortify their mission critical systems from cyber threats. The cost of recovery from cyber fraud or data breaches is going up every year. According to Ponemon Institute’s 2014 Cost of Data Breach Study: Global Analysis, the average cost to company of recovering from such security breaches was $3.5 million; this is an increase of 15% from the previous year.
This is big money.
Businesses cannot afford to take cyber security lightly and to be fair, they aren’t. Organizations are getting serious about data, network security. There is a very perceptible focus on implementing IT security strategies and solutions; spending on security technologies is set to increase by 46% in 2015.
The availability of NGFWs and advanced UTMs has revolutionized network security as we know it. The deeper network security and application control that such appliances deliver is helping organizations combat ever evolving security threats.
But here’s a question for you – Does deploying high end security appliances with advanced detection and protection capabilities guarantee zero data breaches? Will it assure a complete clamp down on cyber theft and ingress of threat actors?
Unfortunately, the answer is no. Surprised! Don’t be. The sanctity of your data and security of your network is not just dependent on the nature of your security policies and deployment of future ready security appliances.
Think about it for a second. Your network might not be directly attacked by threat actors. If they find your perimeter security difficult to break into, they will not give up. Their next step will be to conduct a reconnaissance to identify an initial point of penetration into your network.
Third Party Vendors – Your Unlatched Backdoor
Third party vendors are turning out to be unlatched backdoors through which hackers are gaining entry even into well-protected IT networks. There are increasing incidences of attackers using third party vendors to compromise organizations and infiltrate their network and gain access to sensitive information. As per findings of a research conducted by security ratings company BitSight Technologies, almost a third of breaches in the retail sector originated with a security breach at a third party vendor.
The problem is so serious that the New York State Department of Financial Services released a report focusing on potential cyber security vulnerabilities with banks’ third party vendors. The survey makes a clear case for proactively monitoring key threat vectors from third party vendors.
Think of your third party vendors as the weak links in your organization’s network security chain. There is a tendency amongst organizations to say they aren’t concerned with the security vulnerabilities of their third party vendors, but it is this apathy that can expose your network to vulnerabilities. It’s important to see such vendors as an extension of your enterprise; this allows you to insist they meet the same standard of security compliance as does your organization.
This is important because as a first party you cannot disown liability for the cyber security missteps of your third party vendor. You are as liable for third party cyber security missteps as you will be for your own errors.
A case in point is Target, which will wind up paying around $252 million in expenses related to a breach resulting from hackers stealing network credentials from a third party vendor.
Can you wait for realization to dawn on your vendors that their security protocols are found wanting? Or do you think, pure blind luck will carry the day for you and ensure your third party vendor doesn’t cause you security grief? If you are serious about securing your network and leaving nothing to chance, you can’t depend on providence to save the day. You must take proactive steps to ensure security black holes at your vendors’ end don’t suck you in. What you need to do, is guard yourself against oversight.
You must take preventive steps that will help you stop hackers from piggybacking on a security glitch at a third party vendor’s end, and breaching your network.
Here’s what you must do:
• Plan for Third Party Data Vulnerabilities
What if, in spite of your best efforts, you are still hit by a cyber-attack courtesy your third party vendor? If you don’t have a plan to manage such third party incidents, you’ll end up answering them with a knee jerk reaction. As can be imagined, such answers will not be sustainable over the long term. What you need is a well-planned incident response policy. You must not only implement this plan, but test it periodically to ensure its threat prevention and detection capabilities are in step with the evolving cyber-attacks landscape.
A key element of a mature and future proofed incident response plan is drawing up concrete SLAs with vendors that do two very important things:
- In case of feedback on security vulnerabilities in their organization, they must guarantee, they’ll provide a fix.
- In case the vendor finds a security compromise, this must be reported to your organization.
Establish a ‘security hot line’ with the vendor that clearly communicates security lacunae in vendor organizations, so that these can be fixed quickly.
• Due Diligence Before Signing them On:
Before you get third parties onboard, thoroughly research their credentials. Get a clear idea about their reputation on the market and ask for verifiable references that prove the vendor’s commitment towards cyber security. Investigate the vendor’s network security antecedents, IT security policy and its implementation to make sure you are comfortable with their privacy and security ecosystem.
The amount of due diligence you conduct should be directly proportional to task sensitivity. The more sensitive the task of the third party vendor, the more diligently you must pursue your investigation.
• Identify Points of Sensitive Convergence
Map vendor responsibilities vis-à-vis your organization. This will help identify points of convergence where a vendor’s system needs to access and/or interact with sensitive client information. Such points of contact must be clearly documented. Also find out if this interaction comes under the purview of any industry regulation your organization must adhere to.
The critical nature of the job the vendor is doing must be conveyed to them; what also needs to be conveyed is the adverse impact of not securing access and interaction points. You could even work out the liabilities with the third party by identifying the associated risks it brings to the table courtesy any missteps in its network security.
• Bolster Your Internal Security
Like it or not, you might not be able to impress upon third parties the need to address network security vulnerabilities in their organizations. As an enterprise organization that works with and stores sensitive client information, you cannot be ambiguous about securing your data and networks. This is why you must do everything possible to put in place data safeguards. Make sure the NGFW you’ve deployed offers you Deep Packet Inspection, complete visibility and controls over your users and applications, an effective IPS (Intrusion Prevention System), and powerful reporting, among other things.
Something else you must do is ensure users in the network don’t ignore data breach warnings. At the first sign of trouble, threat response should kick into gear. This cannot happen if you do not sensitize users on the importance of network security and what it means for the organization.
Third party vendors will be your weakest links only if you allow them to be. The key here is to try taking responsibility for their network as well as yours. Know more about Cyberoam network solutions at www.cyberoam.com. For similar security alerts subscribe to Cyberoam Blogs.