An oft repeated IT Security truth is that an organization’s number one threat vector is it’s people. Human error does account for a large percentage of security breaches and data loss events. According to an Egress CIO survey conducted in March 2016 , “93% of data security breaches occur(s) as a result of human error — that is, people making mistakes when sharing sensitive information, poor processes and systems in place, and overall lack of care when handling data.”
Proper employee training, both during the on-boarding process and in regular intervals during employment, is necessary to help educate employees and protect your organization. But what about employees that don’t sit within your walls or don’t even appear on your payroll. The challenge really starts when you try to ensure that your third-party employees are also being properly trained in regards to security and risk mitigation.
Why is it important to understand your third-party’s employees training programs? According to the 2016 Verizon Data Breach Investigations Report, “97% of breaches featuring stolen credentials leveraged legitimate partner access.” That means that at some point in 97% of hacks, a third-party was involved. That’s not to say that the third-party intentionally allowed the hackers to breach their partners, but they also weren’t able to prevent them from doing so.
Still not convinced that you need to be concerned with third-party personnel? Based on research reported by Cybersecurity Ventures in August of 2015, “Third-party applications were the source of 80 percent of vulnerabilities.” And an oft-sited Trustwave Global Security Report revealed that “63% of data breaches involved a third-party vendor.”
How do Organizations Protect Themselves?
Chief Information Officers (CIO)and Chief Information Security Officers (CISO) bare the burden of protecting their organization from data breach, including those that involve third-party vendors. Even the Board of Directors, the CEO and/or the President of the company need to become involved by making security a top priority for the organization.
Below we have outlined three ways leaders of organizations can set the tone at the top and help their entire organization understand the importance of security.
(1) Establish and Enforce Security Policies
Again, the number one threat vector for an organization is its people. Help employees understand the importance of security by establishing rigorous security policies and enforcing them. Offer training for each new employee who joins the organizations, and then ensure that training is repeated on a regular cadence.
Ensure employees understand that the use of third party applications and services also creates a potential threat vector. Require employees to put each vendor through a Vendor Risk Management Program (see item 3 below).
(2) Align Security with the Goals and Needs of the Business
Remember security is not simply plugging holes. Just as IT typically plays a supporting role to the business, security should both protect and amplify the business operations. Determine what the aims of the organization are, and design security policy to protect those aims and help make them a reality.
Resources are often tight, especially for small or mid-market companies. When looking at security solutions think in terms of how a potential threat would harm the business and how it would affects the ability of the business to continue as a going concern. Think also in terms of Business Continuity and Disaster Recovery. Ask yourself, “If we lost application XYZ for 5 days, would we be alright?”
(3) Vendor Risk Management Program
Finally, ensure you understand the threats posed to your organization by your vendors, partners, and customers. In today’s world it is almost impossible not to share data and some systems access with third-parties, so make sure you understand the risks of that sharing before you formalize those relationships.
A robust Vendor Risk Management program should do three things:
(1) Give you an understanding of the level of access a vendor will have — what types of data will they be able to access, how will data be transacted between the organizations, which of your organization’s systems could they possible impact, etc…
(2) Give you an understanding of the internal security controls of all of your vendors. How are your organization’s vendors managing security internally? Are they going to be able to protect your data and systems once they have access?
(3) Guide you in making critical third-party relationship decisions. Not only about which vendors to use, but how to interact with them and when to push on your vendors to improve in some way.
Read a prior Whistic post to learn more about the future of the Vendor Risk Management process.