Conventional wisdom suggests employee access is the weakest link in enterprise cyber security. Now, there are good reasons to believe that the cybersecurity hygiene of your third-party vendors may be at least as weak as employee access. Third-party cybersecurity matters now more than it ever has before.
The Internet, along with Internet of things (IoT), is so entrenched in the business world that nearly all equipment and devices are connected to the outside world. This connectivity already includes: Point-of-sale devices, door access control, video surveillance, voice-over-IP telephone systems, A/V systems, HVAC, elevators, office machines and other appliance-type equipment that communicate via the Internet or the company’s internal computing environment, and it is growing daily.
HVAC and Cash Registers
Two high-profile examples include: 1) Target’s, HVAC vendor being hacked and unwittingly provided the “trusted” access to Target’s network. The Target systems were notably in complete compliance with security standards at the time of the hack. So, Target’s security was compromised most likely because the HVAC vendor had no customer-facing cybersecurity hygiene in mind, when their field team of technicians installed the new equipment. 2) Wendy’s fast food restaurant chain suffered a breach when attackers used login credentials of a third-party point-of-sale system to gain access to more than 1,000 franchise restaurants, including customers’ credit card information. Other recent high-profile breaches resulting from third-party compromises include large discount chain stores, pharmacies and medical centers. These breaches are still being investigated and many may be traced back to third party vendor systems. Today’s reality is that third-party connectivity is the weakest link in cybersecurity.
Despite an enterprise’s best efforts to obtain compliance for its own systems, it is impossible to succeed in maintaining a secure posture without coordinating with third-party vendors, frequently referred to in contracts as “trusted associates”. By coordinating, we are not proposing that such vendors comply with some security standard for back-office IT security. That, we believe, is misguided.
Instead, we recommend addressing your vendors’ customer-facing security practices…those practices used when a vendor is touching your systems or your data. These customer-facing practices directly impact, negatively or positively, your company’s vulnerability to cyberattacks and thus your security. Your vendor’s field staff may be doing you a disservice when they are installing or servicing your organization’s systems, and how could you possibly know one way or the other?
Unfortunately, a vendor’s IT organization can be in complete compliance with a valid cybersecurity standard and still not be a safe vendor for you. At the same time, a vendor whose IT department is not in compliance can have well-thought-out, customer-facing cybersecurity hygiene that maintains, and even improves the security of your systems and data.
So, which is better for you and your organization, a valid and mature customer-facing, security hygiene, or protocol, and no back-office compliance or poor customer-facing security and full compliance? Although a vendor having both would be nice, we believe you agree that that best choice is for your vendors to have a mature, customer-facing security protocol. This is especially organizations. The security of your organization can be dramatically improved by simply encouraging your IT systems contractors to define their customer-facing security protocols and then to share them with you.
Know Your Third-Party Vendors
Fortium recommends that you require each of your vendors to prepare and provide a service-level statement of their cybersecurity hygiene (practices and controls) and how those practices and controls apply to the work the vendor performs for you (the customer). Simply contact each vendor directly, or have a third-party such as Fortium do this for you, and ask that each prepare a statement of their cybersecurity hygiene. In addition, you might give them an assist and recommend an independent party to mentor them through the process of preparing their service-level statement. They just might need that assistance. They might even thank you for your interest and support, as it could prove to be a service differentiator for other clients as well. Helping your vendors deliver security as part of the solution they typically offer is one of the great win-wins available today.
Note: Viakoo encourages guest blogs and industry perspectives. Please contact John Gallagher ([email protected]) if you are interested in sharing your views.