If a third party vendor has access to your organization and the vendor gets hacked, your company is at risk of losing vital data, confidential employee data and contact lists, and the consequences can range to damaged reputation, stockholder sellouts, insurance claims, extensive financial damage and possibly even bankruptcy.
Remember these steps to reduce the risk of a data breach:
- Your organization must own a defense strategy that covers all your assets, all your endpoints, all mobile devices, all applications and all data. The strategy should include encryption, and two- or more factor authentication for all network and data requests to and from third parties. Also, establish a comprehensive security policy for employees to follow, take steps to make sure they comply by implementing data classification, access control, access rights, auditing and more. Train your users against releasing any security credentials to unauthorized parties.
- Some third-party vendors only need access to your network, while others need access to specific data. You have to implement a “least privilege” policy covering who can access your data and network, and specifically what they can access. Regularly review the credentials of users in the third party and understand who is using them within the partner organization. Also limit temporary access, as it potentially opens the door to increased vulnerability.
- It is essential to continuously assess the third party’s security policies and their best practices to determine if they meet those of your organization. Have them take part in thorough information security assessments at regular intervals, and ensure that all contracts contain clauses detailing their obligations for their own employees as well as for engaging in security training and enforcing robust security controls. Also, require them to perform up-to-date patching and vulnerability protection and make sure you put an auditing program to confirm that their contractual obligations are being followed to the letter.
- One of the best things you can do is create a service-level agreement (SLA) with a third-party vendor which – at least on paper – will take your mitigation strategy further. Basically, the SLA should mandate that the third party complies with your company’s security policies. It is vitally important that each SLA gives your company the right to audit the vendor’s compliance with your security policies. Key elements of an SLA should cover: information security, information privacy, threat and risk analysis, network and data access, disclosure and breach reporting requirements – and, of course, auditing/verification of compliance. As part of these requirements, make sure they are following NIST guidelines as well as SANS Critical Security Controls.
Reference: Security Magazine