Part 2: Know What Information Vendors are Able to Access

August 28, 2017

In today’s technologically advanced landscape, never more than a day passes without talk of a massive cybersecurity threat or a recent hack. And no industry is off-limits: from B2C to B2B organizations to tech companies and consumer retail brands, everyone should be on high alert. Alarmingly, a recent McAfee report stated that just 23% of organizations today completely trust public clouds to keep their data secure.

Because of the severity of cybersecurity threats, one of the most important things that organizations can do to prepare for and minimize risk is to first have a thorough understanding of what sensitive information or applications third party vendors have access to. Without this understanding, your team will not know which relationships pose the greatest risk to your organization and your case for broader awareness of these risks may not carry as much weight as it should.

Over the next several weeks, we’ll continue to address each of the 5 steps to raising awareness with your leadership team that we outlined in our latest ebook, “Why Third Party Security is Critically Important”. Today, we’ll address Part 2 of the series, “Know What Information Vendors Are Able to Access”. Did you miss Part 1? Check it out here.

How Third Party Vendors Pose a Significant Security Risk

When it comes to third party security, there are various aspects to consider, such as data that vendors have access to and how information is stored and transmitted. Now that your organization has access to your third party vendor list, you need to determine the level of risk that each vendor poses to your organization. Here are 2 initial questions to ask internally (and externally if needed) of each of your vendors:

  1. What data does the vendor store, transmit, process, and have access to? Consider data points like employee information, personally identifiable information (PII), customer data, financial records, HR information, marketing campaigns which often include customer and prospective customer information, and even your company’s proprietary coding language.
  2. What applications or integrations does the third party vendor have access to? Consider whether the vendor pulls in data from other systems in order to create richer profiles, such as a CRM or marketing automation system, or whether the vendor has connections to your accounting or email providers.

Keep in mind that different types of data present different levels of risk. For instance, one particular software may only have access to marketing data while others may have access to multiple sets of data (like a CRM system). Even though marketing data seems less risky than CRM data, that’s often not the case. Marketing software often contains rich data sets from previous campaigns targeted towards current customers and prospective customers alike, often numbering in the millions of records containing PII.

Consider this example: it’s one thing to have a sales enablement tool that allows your team to set more demos. But it’s an entirely different thing if that sales enablement tool plugs into your CRM via an integration as it exposes more sensitive data like pricing, addresses, emails and other personal information.

A Case Study: Google Docs

When a department or employee adds a tool to their Google Apps account, they usually don’t understand how that simple activity can create monumental risk. They don’t think about all of the other connected apps and implications that one seemingly harmless integration can have on the security of the entire business. But no vendor is untouchable as even Google Docs experienced a recent phishing attack that was so severe the United States Computer Emergency Readiness Team issued a statement. The attack spread because of the proliferation of these tools within businesses.

The Problem With Third Party APIs and Interfaces

Every time your organization puts data in the hands of a vendor, it raises concerns about the security of that data. According to IDC, the Software as a Solution (SaaS) market is growing at 5X the rate of on-premise software adoption, which increases the risk of an incident every single day.

In a recent survey, security was cited as one of the leading concerns of APIs and integrations. When it comes to these third party integrations, OAuth is the most widely accepted standard, “but there are still many APIs out there today relying on Basic Auth (17%), or some custom implementation of API Key & Secret (33%).”

While utilizing APIs with trusted vendors is a common practice, these the data exposed via APIs and interfaces is often a culprit of causing security issues for organizations. InfoWorld recently reported that “…APIs are cause for threat, the security and availability of cloud services — from authentication and access control to encryption and activity monitoring — depend on the security of the API. Risk increases with third parties that rely on APIs and build on these interfaces, as organizations may need to expose more services and credentials, the CSA warned.”

Categorizing Vendors By Risk

What’s the bottom line? If you don’t have an easily accessible place to store third party vendor information, then that should be your organization’s top priority. In addition, your Information Security team should lead an exercise in which every vendor is categorized in terms of risk, which should reflect the policy you have chosen internally on which to base the risk level of each vendor. If you haven’t yet established a policy by which to categorize risk, just start with a basic Low, Medium and High risk ranking system. Here are several risk-related points to consider in order to determine your ranking:

  • How critical is this vendor to your business operations? If this vendor went down for X hours, how would it impact your employees? Your customers?
  • Does the vendor integrate across multiple departments? Multiple systems?
  • What data does the vendor store? How much of it do they store?

You must realize that every organization’s rating system will be different. For example, your organization may have an HR software that contains VERY sensitive data, but it’s not mission critical to the organization and you may not be as concerned if the system goes down. If your data center provider goes down, however, you may stand to lose $100,000/minute. Even though the data center isn’t storing the same data as your HR software provider, it’s more critical to your business operations. Will you base your overall risk rating on business criticality, inherent risk of data, other risk factors (such as compliance risk or regulatory risk) or a mixture of all of the above? That depends on what is most important to your organization and is typically defined by the leadership team as they adopt your information security and risk policies.

Ready to Learn More?

Check out our resources below for more third party vendor best practices and insights on how your organization can effectively approach security assessments.

eBooks:

Why Third Party Security is Critically Important

Request a Live Demo with a Whistic Product Specialist

Risk Management information security cybersecurity data breach vendor management

About the author

Whistic
Whistic

The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.

Close