Digital transformation increases the number of vendors that your organization incorporates into its IT ecosystem. Each third-party, however, increases your company’s cybersecurity risk. What used to be considered “trust but verify” has now become “verify then maybe trust.”
Vendor due diligence is one of the primary requirements common to most cybersecurity regulations and industry standards. With companies increasingly responsible for monitoring and managing their vendors’ cybersecurity posture, you need to know everything you can about your business partners before you contract with them.
The weakest spots in cybersecurity management
Before we provide due diligence and vetting steps that your company can take prior to working with a new vendor, a brief review of two often-overlooked aspects of IT security defense is in order.
1. Awareness is not security
According to a recent study from Tessian, 43% of respondents admitted to making mistakes at work that compromise security, explaining why phishing remains one of the most successful cyberattack methods. According to the Ponemon Cost of a Data Breach Report 2020, phishing accounted for 14% of malicious data breaches.
While you might be able to provide oversight for your own employees, you can’t do the same with vendor workforce members. To protect your organization, you need to ensure that vendors’ cybersecurity posture aligns with your own.
2. Proactive defense-in-depth works
You can’t sit around waiting for a security incident to occur. You need to be proactive, not reactive, about protecting your information and ensuring your vendors are also proactive. Problematically, you can’t control your vendors’ security monitoring any better than you can maintain their employee cybersecurity awareness.
While you need to document vendors’ answers to security checklists, you also need to make sure that they are layering their defensive security mechanisms and continuously monitoring those mechanisms for weaknesses.
The risk assessment checklist: vet your vendors’ cybersecurity management
Vetting means executing due diligence by checking a vendor’s systems, policies, and procedures for security weaknesses. This means running through a risk assessment checklist to make sure that the vendor adheres to the same security standards that protect your company from attack. You must ensure that security leaks are plugged in terms of both the vendor’s computers and its people.
Your company can adopt different standards and vendor risk management plans to help mitigate risk. Then there are OCC and HIPAA rules if required by your industry. All of these plans and standards tend to be written at a high level. So, here are 15 rules that you can use as a vendor risk management checklist written in a simpler manner:
1. Cloud services configurations
Cloud misconfigurations accounted for 19% of the data breaches reported in the Cost of a Data Breach Report. Misconfigurations for cloud assets such as serverless functions and databases can increase your data breach risk. Before signing the contract, you want to make sure that all cloud assets are configured appropriately and that the vendor does not store non-public information in plain text.
2. Application security
Moving to the cloud means that your employees are accessing your vendor using a web application. Whether it’s your enterprise resource planning (ERP) or human resources applications, you need to make sure that the portal your employees use to access the vendor is secure and protects against Cross-site Scripting (XSS) and SQL injection attacks.
If your vendor collects, stores, or transmits any of your employees’ or customers’ non-public personal information, you want to make sure that the data is encrypted using Advanced Encryption Standard (AES) best practices. You need to make sure that all data – both at-rest and in-transit – is encrypted appropriately so that even if attackers steal it, they can’t read it.
4. Incident response
As part of a proactive approach to managing vendor cybersecurity, you need to know how your vendor handles identified incidents. This includes knowing how they monitor their environment, how they receive and prioritize alerts, and how rapidly they respond to alerts.
This means reviewing documentation that proves the vendor’s employees are only accessing the resources they need to complete job functions. Procedures should exist on how often managers review user access and whether the periodic access reviews are done purposefully. The vendor should be maintaining segregation of duties (SoD) by ensuring that users’ access does not create a conflict of interest such as a person in charge of accounts payables also having access to accounts receivables.
6. Log monitoring
Not every company is going to be sophisticated enough to use Splunk or ELK to monitor logs with advanced analytics to flag security incidents. In such cases, the vendor should ideally use a Managed Services Security Provider to monitor its logs and network traffic.
7. Password policies
Companies should stop using password-only sign-on and add Multi-Factor Authentication (MFA). MFA means that the organization requires users to provide something they know (a password) and supplement it with either something they are (fingerprint, face scan, other biometric) or something they have (token, key) or a combination of all three.
A common problem with TFA is service accounts – shared logins used by multiple administrators or outsiders. Since organizations often overlook the need to change default passwords, service accounts are a common way for hackers to gain access to a system. Their passwords must be changed frequently to decrease cybersecurity risk. Despite the inconveniences this poses, such as downtime and the risk that a system might not start up again when connecting to other systems after a password change, frequent changes are a very necessary security step.
8. Security awareness training for employees
Vendors should be able to provide documentation proving that they train employees annually on security and provide training programs for new hires. They should make their employees aware of cybersecurity risks and provide them with risk management best practices that they can follow.
9. Bring-your-own-device (BYOD) policies
The increased number of employees working remotely makes BYOD more important than ever. Employee-owned laptops, smartphones, and tablets pose security risks because the organization can’t control how and where users access cloud resources. For example, remote employees use their home wifi networks which can be a data security risk. When reviewing your vendors’ security posture, you need to know how employees can access the vendor’s systems, software, and networks as well as what controls are required to prevent man-in-the-middle attacks from public or personal wifi.
Remote access to your company’s network, apps, and servers should be via VPN or Windows Remote Desktop. The connection from the vendor to the client company should be via IPsec VPN. Don’t just whitelist an IP range.
11. Physical security
Your vendor needs to have some policies to prevent, for example, a hacker from simply walking into the data center and removing a drive from a storage array. Or walking into Accounting during lunch and walking out with a whole PC.
12. Email spam software
Since phishing is still the number one attack vector, every company needs reliable anti-spam software. Defense in depth is wise; your vendor should scan at the mail server level as well as at endpoints.
Vendors should have antimalware and anti-ransomware software installed on all devices that connect to their networks. Cybercriminals often drop malware into phishing emails, and the malware installs itself as part of a successful attack. Antimalware software can help mitigate these risks.
14. Decommissioning services
Vendors must have procedures for disconnecting old devices from the network when they are no longer. For example, if an end-of-life device remains connected to the network, the device manufacturer is likely not supporting additional security patches, and the vendor is likely not monitoring the device’s connection which offers cybercriminals a way to get into the network.
15. Patching policies
Microsoft, Adobe, and other companies send out patches almost daily. So your vendor needs a risk management system to make sure these are applied daily to protect against zero-day attacks. The days of waiting for Patch Tuesday are behind us; continuous updates must be a priority.
SecurityScorecard for robust vendor risk management
These are only some of the items that your company can do to make sure that your vendors adhere to cybersecurity best practices. These practices will help keep your vendors from being the conduits through which your company gets hacked and suffers the loss of customer or company data.
SecurityScorecard’s security ratings platform continuously monitors your vendors’ cybersecurity posture across ten categories of risk factors, including IP reputation, DNS health, endpoint security, patching cadence, and network security. Our easy-to-read A-F rating scale provides at-a-glance visibility into the effectiveness of your vendors’ security controls so that you can continuously validate and verify their security posture.