Cybersecurity - Third Party Vendor Risk Management
Brought to you by WBR Insights
In our first article in this series, we discussed ways to implement a cybersecurity awareness program and how to create a culture of security throughout your organization. However, while many cybersecurity risks come from within, that doesn't mean they cannot also come from without.
Outsourcing is the new black when it comes to business, with many brands farming out elements of their business to third-party vendors. Even if your business does not, almost every company must rely on third-party suppliers to one degree or another.
While this can pay dividends for productivity and the bottom line, it does bring along certain inherent risks as well. A 2018 study found that over half (56 percent) of organizations attribute cybersecurity-related data loss to vendors or other third parties. Furthermore, just 35 percent of organizations rate their third-party risk management program as highly effective, and only 34 percent have a comprehensive inventory of all their vendors.
It's no wonder then that there is a strong need to shore up your business's defenses when it comes to managing third-party risk.
Airbus - a Cautionary Tale
2019 has certainly been a year for high-profile cyber-attacks and it's little wonder given our increasingly connected world.
As the world's second-largest aerospace and defense company, Airbus has found itself on the receiving end of such attacks with some frequency. The brand has been targeted by four major cyber-attacks in the last 12 months and, unfortunately, one of them was successful and resulted in a data breach. The attack was linked to a cyber threat group operating out of China with a record of targeting aerospace manufactures and stealing their intellectual property.
However, what has made this spate of attacks significant is not the motive behind them or even their persistent nature. It's that they gained access to Airbus's infrastructure by targeting its third-party suppliers.
"This incident is being thoroughly investigated by Airbus' experts who have taken immediate and appropriate actions to reinforce existing security measures and to mitigate its potential impact, as well as determining its origins," said the company in a press release. "Investigations are ongoing to understand if any specific data was targeted, however we do know some personal data was accessed. This is mostly professional contact and IT identification details of some Airbus employees in Europe."
The moral of this story is that, if a massive brand such as Airbus can be breached via its third-party vendors, then your organization certainly can be, too. This means it could be time to take another look at your cybersecurity protocols regarding your own third-party vendors.
The first step in this process is to establish the exact nature of a vendor's relationship with your brand. You need to define business requirements, business relationships, and risk factors which will allow you to effectively generate a framework for vendor categorization.
Once categorized, you will be able to asses which vendors require a more thorough security assessment and which do not. Factors such as the vendor's role within your organization and the scale and criticality of that relationship will all combine to determine this. For example, a DJ you hire for a work Christmas party will not require the same scrutiny as a marketing company that has backdoor keys to your website.
The next stage is to carry out appropriate vendor assessments to determine their relative risk to your organization. These will need to be relatively in-depth and be crated to your industry to a certain extent, but there are some universals.
You can research the company online to see if there have been any issues in the past. Check that they haven't been penalized for any breaches of data compliance regarding regulations such as GDPR and that they take their responsibilities in this regard seriously. Not all fines are made public, but there are websites out there that attempt to track things such as GDPR breaches.
Making sure the vendors you do business with are in good financial health is another way of ensuring they are secure. Those that are struggling will be less likely to have top-level security in place and may also be vulnerable to extortion.
No matter how long you have been working with a vendor, the moment they put your own business at risk, you should consider severing ties and shopping around for a new partner.
You need to be carrying out regular reassessments and assessing whether the vendors you are doing business with are maintaining the high standards you expect. If they start to fall short and can't address security issues to your satisfaction, it's time to move on.
Third-party vendors are sure to be a hot topic at InfoSec Connect 2020, taking place in March at the Rancho Bernardo Inn, San Diego, CA.
Download the agenda today for more information and insights.