You are only as strong as your weakest link. No more does that statement ring true than in how companies approach their cybersecurity strategy. In the age of constant breaches and cyberattacks, most companies have bolstered their internal cybersecurity defenses but many are forgetting a key area that can leave them vulnerable – the third-party vendor loophole. For many companies, using a third-party vendor is simply an afterthought. From payroll and healthcare services to analytics platforms and security products, everyone thinks of third-party vendors as integral functions of keeping their core business running. However, just because they are integral to keeping the flow of the company running, it doesn’t mean their networks are secure and their cybersecurity policies are equal to your company standards. Data breaches via third-parties are a continued and growing problem for companies. According to a 2016 Data Risk in the Third-Party Ecosystem study by the Ponemon Institute, 49% of respondents confirmed their organization experienced a data breach caused by one of their vendors. Additionally, only 41% of respondents reported that their vendors’ data safeguards and security policies and procedures were sufficient to respond effectively to a data breach. As evidenced, third-party breaches make up a large portion of breaches, yet they are often challenging to defend against because they are threats against a separate entity that companies have no control over. So, what can companies do? First, companies must change the way they view cybersecurity. Companies must look at how information is protected across the entire business network – this means security must be accounted for by anyone who has access to the company network and data – including those who companies do business with, not just your internal employees. Because third-party vendors often have access to valuable company information, it is crucial to do research before bringing them into your network. Below are some tips to help companies better align themselves with third-party vendors and to stay better protected in the event of a breach. 1.Do Due Diligence Just because a vendor is providing a needed service does not mean they place the same value, measures and protocols into protecting their networks.
Ask for a comprehensive list of their security policies and disaster recovery plans in place. Review these and make sure they align with the company needs and security standards. Don’t forget to make a record and keep copies handy in case there is a breach, so the blame game can be avoided as much as possible.
Ensure they regularly perform internal security audits, fix patches and software updates.
Perform thorough background checks on employees with access to company data. Unfortunately, many breaches come from internal sources. When companies share sensitive information with providers to perform a service, they should go through the same vetting process as if they were an employee of your own company.
2.Document and Organize When companies work with multiple vendors who have access to company information, it is important to stay organized and document who has access to what and how.
Companies need to know and organize where their data sets live – what’s sensitive and what is not sensitive information.
Create a map of which vendors have access to company data, what that data is and the security measures the vendor has in place to keep it protected. Keeping all of this organized in one place will help companies quickly respond in the event of a breach if all this information is detailed ahead of time.
Place one person or department in charge of managing vendor security. Have a dedicated team working on vendor security and controlling who has access to what and how. This will help streamline the process.
3.Agree on Compliance & Data Breach Standards It is important to agree on compliance standards before establishing a partnership with a third-party vendor.
Use a s service-level agreement to specify the measures that protect the company data in the contract.
Outline responsibility in the event of a breach. There are data breach lawyers who can help clarify these terms and offer advice to put in the contract that protects the company in a breach or loss stemming from a third-party weakness.
Include an audit clause in the agreement. This helps verify through an independent party that the third-party vendor is following mandated regulations and proper security best practices and protocols.
There is no way around it – third-party breaches are going to happen and are even projected to grow in number. While the above list are tips to get started on building a better third-party vendor risk management program, it is critical companies take these security vulnerabilities seriously and focus on bolstering the security of the entire ecosystem, not just the internal one they control, so their network can better be prepared to handle threats.
Too busy working all week to keep up with the most interesting stories coming out of the technology and security industries? Below are our recommendations for a roundup of the top stories happening now that you need to know. “Yahoobleed” flaw leaked private e-mail attachments and credentials For years, Yahoo Mail has exposed a wealth of private user data because it failed to update widely used image-processing software that contained critical vulnerabilities. That's according to a security researcher who warned that other popular services are also likely to be leaking sensitive subscriber secrets. Read more…
The Donald Trump administration, in its proposed fiscal year 2018 budget, outlines steps it contends would strengthen the U.S. federal government's information systems, even as it would cut some cybersecurity spending at specific agencies. Read more…
Too busy working all week to keep up with the most interesting stories coming out of the technology and security industries? Below are our recommendations for a roundup of the top stories happening now that you need to know. 1. India's Zomato says data from 17 million users stolen Global restaurant guide Zomato revealed this week that hackers have stolen data on about 17 million users. The breach includes personal information, including email addresses and hashed passwords. Read more… 2. 'PATCH Act' Aims to Help Prevent Cyberattacks New legislation calls for an overhaul of the federal government's software vulnerability disclosure policies following the ransomware outbreak that was fueled by the leak of a stolen National Security Agency cyberweapon. Read more… 3. DocuSign's stolen emails lead to phishing attacks Threat actors are using stolen DocuSign customer emails in a phishing campaign to spread malicious Word Documents. A third party gained temporary access to communicate service-related announcements to users via email. Read more…
4. Facebook hit with maximum fine for breaking French privacy law The French data protection watchdog has imposed its harshest penalty on Facebook for six breaches of French privacy law. The breaches include tracking users across websites other than Facebook.com without their knowledge, and compiling a massive database of personal information in order to target advertising. Read more…
Too busy working all week to keep up with the most interesting stories coming out of the technology and security industries? Below are our recommendations for a roundup of the top stories happening now that you need to know. 1. Banking Trojan tests new attack techniques against high-profile targets One of the world's most widespread forms of banking malware has taken on a more advanced form attack to dupe victims of some of most high-profile banks in the world into giving financial details and login credentials. Read more…
4. Trump signs cybersecurity executive order Today, after 3 months on the table, President Donald Trump today signed a Cybersecurity Executive Order, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, meant to bring efficiency, clarity and additional protections to government IT systems. Read more…
Too busy working all week to keep up with the most interesting stories coming out of the technology and security industries? Below are our recommendations for a roundup of the top stories happening now that you need to know. 1. Google Docs users hit with phishing scam This week a Google Docs phishing scam affected about 1 million users. Users who clicked a link and followed instructions risked giving hackers access to their email accounts. Read more… 2. IBM warns of malware on USB drives shipped to customers IBM has urged customers to destroy USB drives which shipped with some of its Storewize storage systems because they may contain malware. Read more…
Blockchain is emerging as one of the hottest cybersecurity and information-sharing solutions being talked about now, but is all its promise in the fact that it is the latest craze to hit the market and people want to be compliant or is it a breakthrough waiting to happen? As with most things in life, it’s a little of both. Let’s first start with the positives.
The core idea of blockchain is a great concept because it has made people start thinking about security more seriously. Let’s be honest, most companies are simply playing lip service to security. “Yes of course our systems are secure;” “We use the latest security systems;” “We employ the most up to date security systems and policies…” But really, the word security has been used as an excuse not to go in to details or to throw off blame and recrimination. However, blockchain has piqued the interest of many consumers – they are asking their companies about blockchain and how it could impact their environment. Simply put, whether buzz or not, blockchain is making people think more seriously about how their data is being managed.
Another area that blockchain has some very promising benefits is in the cryptocurrency sector where you have an open network of millions of transactions. In basic terms, blockchain enables a single version of transactional truth: an unchangeable, universally visible ledger that creates its own audit trail, decreasing the possibility of backdoor transactions that most digital currencies face. Essentially, it can easily and privately move and store digital transactions securely, and the more widespread the network, the more difficult blockchain makes it to tinker with the data.
With that being said, it is too soon to tout blockchain as the end all be all to our security woes. There are still several areas that need to be addressed.
Too many people are jumping on the bandwagon and hype of blockchain. People are looking at it as the only mechanism and not looking at what the actual security issue is. It is a great tool for helping the security of transactions and making sure transactions are secure, but it won’t secure up the end databases. Blockchain focuses on securing the external world and exchanges but it does not look at the underlying security of the data.
Users put a lot of trust into the fact that these digital currency exchanges based on blockchain have the right security protocols in place, yet time and time again they have been shown that they are not safe and your money could easily be stolen.
There are no regulations or reimbursement structures in place yet. When blockchain and cryptocurrencies experience security issues, whose ownership is it under to cover customers in the event of a breach? There is still a lot that remains unsettled when it comes to regulation statuses, and there are no current rules around offering insurance on digital currencies. The way blockchain based-transaction are set up now, no one will step in to help and that is too great a risk to have the public exposed to.
While there are both advantages and disadvantages to blockchain, one thing is clear: as an industry, we need to look at all the solutions available, not just lay all of our eggs in one, and find ways to secure our information end-to-end and not just settle for the solutions that are hot for the moment. So stay-tuned and let's see where the blockchain buzz goes.
