Organizations seeking to protect sensitive data from cybercriminals must worry about more than their own operations when assessing potential threats. Vendors represent one of the highest risk areas in an organization’s cybersecurity structure.
Did you know that many major data breaches—including those at Goodwill, Home Depot, Lowe’s, and Target—started with vendor security issues? Or that AT&T was fined $25 million earlier this year due to compromised customer information resulting from lax security at a few of its call center vendors?
A recent incident reminded me just how significant the security risk with vendors can be. I was helping a friend with some accounting issues, and we needed to access a server at her office remotely. When she told me her remote-access password was “password1,” that was scary. What was even scarier was realizing that a vendor—in this case, a small computer network support company—set up the remote access. If we can’t trust the hired computer help to be concerned with security, whom can we trust?
We recently began offering vendor review services because many of our clients were struggling in this area. Initially, we underestimated two things: the amount of time required to complete a thorough review and the number of issues that would be identified. The need for due diligence is quite real!
Performing a thorough “vendor due diligence” is critical not only when selecting a vendor, but also on an ongoing basis. This is true for third parties that host your data as well as those that have regular access to your data, including computer support vendors. You are paying for services, so you should demand security that meets or exceeds your own security standards.
Prior to beginning your due diligence, you may want to identify all vendors that have access to your personally identifiable data and what data is visible to each vendor. You may then vet vendors with a full review process or other steps, including paying them a visit and asking for a full tour of their facilities and a complete explanation of their operational and security policies. This research will complement any written documentation you may already have in hand.
Areas for reviewing vendors
Due diligence should begin with the contract. Never commit to a vendor unless the contract satisfactorily addresses crucial points including service-level agreements (SLAs), breach notification, and right to audit, among other factors. All contracts should start with a nondisclosure agreement. In addition, every contract or agreement should specifically address data security; you cannot assume that appropriate security controls are in place. This is particularly true for cloud applications. In addition to the contract, other areas should be investigated. Vendor reviews should focus on the following:
- IT security controls: All vendors should report on the key security measures they employ, and, in fact, many publish white papers explaining their security standards. Minimum security controls that should be in place for hosted data include:
- Strong password parameters requiring complex passwords that expire periodically and strong controls limiting administrative privileges for vendors and ensuring that vendors do not share administrative passwords and privileges;
- Invalid login lockout settings—e.g., three strikes and you’re out;
- Multifactor authentication to prevent logins from new systems, unidentified devices, etc.
- Encryption of data in transmission and at rest. It is worth noting that encryption at rest is sometimes an optional feature;
- Limits on which resources vendors are authorized to access;
- Establishment of an audit trail to identify who, by name, accessed the systems and which data, if any, they could see and/or change.
In addition to controls, the vendor should absolutely undergo some form of information technology audit. This may be an AICPA Service Organization Controls (SOC) report but for smaller vendors, it could be an alternate assessment providing assurances of adequate security. If you cannot obtain any security audit information, you should be concerned. In addition to a security assessment, you want to know how often the vendor conducts employee training.
- Financial condition: It usually is not difficult to access company financial data on large vendors—and that information definitely is worth reviewing. Vendors in poor financial condition often are more likely to take shortcuts that can compromise security. Sometimes, the vendor will have to discontinue services, leaving customers in the lurch. Smaller, privately held vendors usually don’t have to make financial information available, but you can question them about their growth rates, length of time in business, etc.
- Business continuity: While data security is paramount, data availability also is essential. Data is not worth much if you and/or your clients can’t access it. Vendors should have sufficient plans for backup data centers and telecommunications lines to ensure a seamless business continuity plan.
- Incident response: Because breaches are now considered inevitable, all organizations should have plans for dealing with one. There should be complete transparency, with all contracts including provisions for timely notification of an incident. Incident response involves the monitoring and detection of security events on a computer network and the execution of appropriate responses to those events. This issue is large enough that banking regulators recently published new guidelines pertaining to incident response, business continuity, and vendor capacity.
- Other issues: Vendor reviews also should examine insurance coverage, performance standards, SLAs, and compliance reporting. Vendors often do not readily provide assurance of compliance with critical standards and regulations, such as the Gramm-Leach-Bliley Act and Sarbanes-Oxley. You should demand to see those reports.
Big questions that should be answered
Your vendor reviews are not complete until you can answer the following basic, but important, questions:
- Did you review the correct vendor(s)? Multiple vendors may be involved with any given system because software providers typically outsource hosting functions to data center providers such as Amazon Web Services (AWS). The security information you receive is more than likely for the data center, not the company you are contracting with. You should be able to get assurances from both parties, but this is often not the case. If you cannot obtain security assurances from the primary vendor, you should be concerned.
- Does this vendor review the security of other vendors it uses? Every vendor will be using other vendors, and they should have due diligence procedures of their own. This is not a given. AT&T admitted that its procedures for vetting subcontractors needed improvement.
- Where is your data stored? This might seem simple and obvious, but it isn’t always easy to determine where your data resides. This is because vendors have multiple data centers as well as multiple backup locations. You need to know if your data is in foreign countries.
- Does the vendor have periodic vulnerability testing? Because exploited vulnerabilities cause so many of today’s breaches, it is important that every organization undergo periodic testing. This is not a given either. In addition to testing, the timely remediation of vulnerabilities is needed. It may require some digging to know that a good process exists at your vendor and the related data center.
Most organizations do not have sufficient vendor review procedures in place, but it is never too late to start the process. And the process should be ongoing, occurring at least annually. Here’s hoping that the tips above will help you ensure that the third parties you use don’t increase your cybersecurity risks.