3rd Party Vendor Security Risk Assessment
Organizations are associated largely with 3rd parties for several complex services which support their ecosystems. Due to this ecosystem, success of the organizations is directly proportional to the governance risk & compliance of 3rd parties. This means a lack of appropriate security controls within third parties will adversely impact the business.
Impact to Organizations due to 3rd Parties
Some Facts –
- “The alarming aspect of a third-party data breach is the sheer scale of impact. Hackers have the potential to attack thousands of organizations in one fell swoop. According to a study by KPMG, 73% of organizations have experienced at least one significant disruption from a third-party cyber incident within the last three years.”
- “A total of 98% of organizations worldwide have integrations with at least one third-party vendor that has been breached in the last two years, according to a report released Wednesday from Security Scorecard and the Cyentia Institute.
- Third-party vendors are five times more likely to exhibit poor security, the report found. Half of the organizations have indirect links to at least 200 fourth-party vendors that have suffered prior breaches.
- The information services sector maintained on average 25 vendor relationships, which is the largest number of any sector and more than double the overall average of third-party vendors, which was 10. Healthcare averaged 15.5 vendors and the financial services industry averaged the lowest number, with 6.5.”
Some of the costliest data breaches begin with third parties. Data, being the most critical asset for organizations, face specific problems of managing confidentiality, integrity, availability & privacy cyber risks of data which flows across third parties (service providers and subcontractors). As the data is processed, stored, or transmitted by third parties, it changes ownership multiple times, often containing information directly identifying their business/customers and travels throughout the ecosystem. Being the custodians, third parties shall have responsible security protocols that will best protect the organizations from Reputational, Operational, Regulation & Financial Risks.
Some of the 3rd party weaknesses are as follows:
Lack of Access Management – Granting excessive privileges leads to Privilege Creep.
Lack of Patch management – Missing on applying system & software security patches.
Lack of Security Testing – Lack of security testing involving dynamic & static testing.
Lack of Secure Design – Lots of vendors lack secure design of infrastructures & applications.
Lack of Incident Detection & Response – Inconsistency in SIEM & Log management activities
Lack of Business Continuity & Disaster Recovery Plan – No plans exist for few vendors. Inconsistent or insufficient tested plans.
How to limit 3rd Party Vendor Risks
The scope of 3rd Party Vendor comprises of multiple complex domains to provide services.
The AML-CFT Law1 defines money laundering as engaging in any of the following acts wilfully, knowing that the funds are the proceeds of a felony or a misdemeanour (i.e., a predicate offense):
The services can be categorized and properly assessed to evaluate the upstream & downstream of data handled by a 3rd party.
Few actions to limit risks:
- Agreeing on mutual non-disclosure agreement (MNDA) with proper data disclosure clauses.
- Agreeing on Data Processing & Handling agreements defining data transfer, access, deletion, processing boundaries.
- Agreeing on conducting regular gap assessment for 3rd parties based on industry standards like ISO27001, HIPAA, NIST, COBIT.
- Agreeing on conducting regular Vulnerability Assessment & Penetration testing.
- Agreeing on implementing/following organization’s security controls.
- Agreeing on implementing & maintaining security certifications like ISO 27001, ISO 27701, PCI DSS, HIPAA, SOC 1, SOC2, NIST etc.
Challenges in mitigating 3rd party Vendor Risks
- Lack of contractual agreement around security testing, data processing & data handling.
- Lack of understanding types of data that will be accessed, transferred, stored, or processed by the 3rd party vendors.
- Lack of Escrow agreement for organizations using 3rd party software.
- Lack of Business Impact Assessment on 3rd party services.