By Danny Bradbury
You may have your own computing infrastructure locked down, but what about the rest of your digital supply chain? Third-party risk is an often-overlooked cybersecurity issue, but as more companies deal with each other digitally, it is becoming an increasingly weak spot.
Cybersecurity breaches often come from unexpected quarters such as compromised third party accounts, which can give hackers a window into your system. One of the most famous was the 2013 attack on Target, in which intruders used a HVAC contractor’s network credentials to break into the retailer’s infrastructure and target its POS systems.
A service provider that uses company data on their own premises represents another potential weak spot. This year, chat and customer services company 7.ai suffered a malware infection that compromised credit card information and other personal data for hundreds of thousands of its clients’ customers. Best Buy, Sears and Delta Airlines were among those affected.
Third-party risk is increasing still further as cloud-based services make it easier to deal with third parties. Recently, researchers found a map of hosting giant GoDaddy’s services, including critical server configurations, floating around unencrypted online. A salesperson at the company’s cloud services provider, Amazon, had published the details in an S3 storage bucket without properly protecting it from external visitors.
Finally, let’s not forget insecure third-party products. Heartbleed, the security flaw that came to light in 2014, was a bug in popular open source product OpenSSL that left thousands of organizations vulnerable. More recently, a bug in web accessibility plugin BrowseAloud enabled attackers to co-opt thousands of visitors to websites including the UK’s own Information Commissioner’s Office.
Protecting organizations from partners’ slip-ups means taking a big-picture view of your information architecture and its underlying infrastructure. Historical views of the network perimeter are now hopelessly out of date as companies do business digitally with those outside it. So it’s time to take a broader view of the enterprise data lifecycle along with the infrastructure that supports it and the different stakeholders that come into contact with it. Here are some ways to do that and mitigate third-party risk.
Update security policies
It all starts here. You cannot hold third parties accountable until you have a solid internal standard for security that they can adhere to. Review security policies relating to infrastructure, information and personnel so that you are ready to engage product vendors and service providers with a clear set of rules.
Prioritise your vendors
Create a categorised list of third-party product vendors and service providers. Prioritize them according to how critical their products and services are to your business.
Audit service provider data usage
Assess which service providers have access to which data, and check to see how they are managing it. Conduct a gap analysis to ensure that these practices align with your security policies. Where there are misalignments, change what is happening and ensure that commercial contracts with vendors reflect the proper security practices.
Audit third-party products
Ensure that the products you’re using internally from third-party providers are safe. Begin with the products that are most critical to your business. This involves checking to ensure that the vendor has a regular security patching schedule and applying those patches accordingly. Pay attention to open-source products. Do you have a commercial support contract for those? If not, check regularly for known vulnerabilities highlighted by the community.
Understand third party access to your infrastructure
Find out which third parties have access to your internal resources, whether via direct network logins or APIs. Ensure that you properly manage their privileges and that the resources they are allowed to access are appropriately segmented from the rest of the network.
Use technical mitigations where appropriate
You can often use technical measures of your own to provide defence in depth when dealing with a third party provider. One example is a cloud access security broker (CASB) service that can add a layer of security before your data reaches a SaaS provider’s servers, for example.
Align security policies with procurement procedures
Ensure that your procurement practices reflect your security policies so that new service providers will understand how to protect your data during operation. This applies to product vendors, too. They should be able to demonstrate secure software development lifecycles and an appropriate security audit and patching mechanism.
Make it a regular process
Practice has a habit of slowly detaching from policy. Conduct regular audits to ensure that your vendors and service providers are still sticking to your requirements.
Managing third-party cybersecurity risk can sometimes seem like shoring up a leaky plumbing system. It’s difficult to know whether you’ve identified all the holes in all the pipes. These measures will take time, but they will also help you to tackle the problem methodically, minimising the potential trouble spots in your extended ecosystem.