In an age of out of control cyber threats how can businesses stay in control?
Sometimes you can’t see the whole picture until you stand back a little. But when change is accelerating at the speed it is within the business and technology world and so much has happened in such a short space of time, that has become difficult. Over the past five years, we have seen drastic changes to our working systems, infrastructures, and processes. Cloud computing came along and opened up our network, workplace Bring Your Own Device policies started to make the perimeter fuzzy, and then the Internet of Things (IoT) disrupted things further. One result of the opening of these previously closed networks has been the accelerated importance emphasis of cyber security.
All of this change has resulted in an expanded ecosystem, and greater choice and variety of vendors for businesses to deal with. The supply chain has become an ever growing web of organisations offering services and sharing data. Unless you create a highly cooperative supply ecosystem, you won’t, as a B2B business, be able to compete effectively.
A crucial part of this cooperation is security. The 2015 Forrester report Use The Power of B2B Digital Ecosystems states that 74% of businesses research their vendors primarily using internet sources – essentially transparency and connectivity is driving sales. Yet despite such research, findings from the Ponemon Institute which show that 49% of companies had a data breach caused by a third party vendor.
In many ways the expanding networks and disintegrating perimeters are a positive boost for industry. An agile and connected vendor ecosystem is improving productivity, enhancing sales, and increasing revenues. Non linear networks and distributed suppliers allow for multiple skills, products and disciplines to combine and really maximise the power that technology has to take businesses to the next level.
But digital also opens up the doors to more than just new partnerships – it opens them to cyber criminals too. The management of risk of suppliers and vendors is necessary to ensure that this expansion of our system remains a positive one that drives process and profitability.
Cyber security strategy in the vendor ecosystem
Third party vendor management, like all business, is about relationships. Creating them, building them, maintaining them, and making sure they are symbiotic and of mutual benefit. Security is an inherent feature of a healthy relationship, and creating relationships that are secure must be at the start of any strategy. Later on, once a contract is in place, it is much more difficult to make retroactive changes to policy. Certain compliance standards mandate that vendors and associated business partners have the same security policy measures as the core business. But it isn’t just about adhering to mandatory restrictions; this is about a common sense security measures. There is little point in your company having extensive protection measures in handling customer data, if once it gets onto your suppliers’ system it is open to simple phishing breaches. Security needs to be just as labyrinthine as the networks it supports, and move outwards from the core business into the supply chain and beyond to be effective.
It is important not to assume that all data handlers have security measures in place, and a business must assume a top down view of risk management within its supply chain. Another study by the Ponemon Institute called Tone at the Top and Third Party Risk looked at the effectiveness of top level executives in creating a culture of risk management of third party vendors. Despite 75% of executives thought that risks were increasing as a result of disparate and open communication channels throughout the supply chain, 49% of respondents has no security risk evaluation of vendors at all. This negligence can result in serious data breaches, as the examples below reveal.
Target Corp Customer Details
This serious breach in 2013/2014 affected around 70 million customer accounts, with the loss of personally identifying data, and around 40 million payment card details. The story of the breach reads like a litany of third party vendor security failures that were not picked up by lax security assessment on behalf of Target and their supply chain. Various security gaps were found, including poor authentication and lack of software patching by the third party vendor – two of the most fundamental security measures that should be applied across any infrastructure.
Army National Guard Personal Data
This breach saw 850,000 compromised service personnel user accounts when they were improperly handled during a data transfer by a contract employee to a consultant. Whilst the Army were at pains to point out that the leakage was because of hackers, the fact that it was the result of poor internal management feels no more reassuring.
Millennium Hotels & Resorts North America POS Software
The use of source code as a means of hiding malicious code is a well-known supply chain entry point for malware, yet despite this the business did not put in places to prevent it. In this breach, it is likely the infection of the Point of Sale devices happened during software updates to the terminals via the third party software vendor earlier this year.
Indian Railways Catering & Tourism Corp Hacking
In this very recent case, which is still being investigated, up to 10 million customer accounts may have been compromised through unauthorized access to data via the supply chain.
Compliance & Beyond
Compliance can be a driving force to mitigate third party vendor security risks. Recent changes to the U.S. based Health Insurance Portability and Accountability Act (HIPPA), including the related act HITECH, both of which cover the healthcare industry, have extended the reach to include all associated businesses; the vendor ecosystem being legally required to comply with the security expectations of the acts.
In Europe, the new General Data Protection Regulation (GDPR), has a number of clauses which go into detail on the subject of ‘controller-processor contracts.’ Essentially, all parties involved in any data transfer, storage, and general handling, need to be compliant and liability will be upheld by the controller.
In the world of finance, updates to the security standards of PCI-DSS (V3.2) which is responsible for the security of payment data, including POS and storage of card information, became effective this year. Some of the most important changes to the act put emphasis on spreading the security risk through “shared responsibility” with the extended ecosystem of the financial supply chain.
Compliance is part of the whole in terms of vendor risk management but it is only the start of the story. They offer a compelling framework from which to begin a dialog and look at structures for creating a vendor risk management program with an emphasis on security, but businesses must take responsibility themselves.
Four tips for secure Vendor Risk Management
Tip 1: Don’t reinvent the wheel.
Each industry has a number of areas that are at risk, many of which have already been identified by someone else. Starting with compliance requirements, use consultation around the most important areas of your supply chain to de-risk and instil a culture of security awareness and mandatory training across your ecosystem. The more intrinsic the operations are to the business, the easier it will be to become scalable and sustainable.
Tip 2: Embrace the lost perimeter.
The fluidity of our industry means that vectors morphing as cyber criminals can find new exploits. Insist on the best of breed technology solutions, built to combat modern interconnectedness as a conduit for cybercrime. Products like Web Application Firewall, SES WAF, designed to mitigate attacks against web based sensitive data, should be mandated, and the application of robust authentication measures should be de facto.
Tip 3: Communicate across the ecosystem.
Communication about security issues should be part of the conversations between vendor and principle. The sharing of cybersecurity intelligence is gaining ground across many industry sectors, from government to finance. This sharing of knowledge should become a natural part of your vendor risk management policy.
Tip 4: Build feedback into your operations.
An ethos of continuous improvement around security risk management, right across your ecosystem, means that not only will security be suitable for today’s risks, but tomorrow’s as well. Make sure that reviews of policies and action items are regularly carried out and any necessary changes made.
Vendor risk management is an ongoing process. It’s never finished. Communication is key to making sure everyone is on-board with your plans and policies, and it is relationships that support the implementation of effective risk management. An ethos and culture that understands and respects security across the network and has data protection enshrined into practice will be far more secure, successful and profitable. As the chains become systems and complexity increases, there really is no place for weak links.
Michael Liebi ist Gründer und nun als Board Member bei United Security Providers tätig.