Risk management, compliance, and security are a shared burden between your organization and your vendors. Standards such as NIST (Publication 500-292) and regulations like HIPAA and PCI-DSS provide considerations for compliance and security but do not account for the nuances of your unique business or your infrastructure. To make matters more complicated, guidelines are written as though one party is responsible for compliance and security, but most organizations rely on multiple vendors. Meaning you probably have a greater third-party cybersecurity risk than you realize.
Outsourcing can lead to the ambiguous delegation of compliance responsibilities, lack of data governance and security practices, and difficulty in achieving data protection—ultimately risking non-compliance and leaving your infrastructure vulnerable. We’ve seen organizations like Target, Equifax, and Uber fall victim to a breach due to a third-party vendor, but it doesn’t have to be this way.
EmeSec CEO Maria Horton, OnRamp Founder Chad Kissinger, and EPMG Advisors Managing Director Michael Casey share insights into closing the gap on who’s responsible for what in data security and offer best practices for improving your security posture. Here’s what you need to know.
Today’s Third-party Cybersecurity Landscape
According to studies by the Ponemon Institute, 50% of organizations don’t know who has access to their data, how they’re using it, or what safeguards are in place to mitigate a security incident. One of the main causes is the complexity of technology and the number of people involved. A breach often occurs due to a breakdown in communication between different people.
The Third-Party Ecosystem
Many businesses outsource workloads and processes—and have moved from on-premise solutions to colocation, managed services, and cloud services—to increase efficiency, focus on their core business, and ultimately develop a competitive advantage.
However, as businesses move applications to the cloud, take advantage of new technology, and integrate systems with their existing infrastructure, their hybrid model involves different providers and creates challenges in management and security. “When vetting and choosing providers, you should look for vendors that improve your security and compliance posture, not jeopardize it,” advises Horton. If you’re in the healthcare, financial services, or a similar business that has strict compliance and security mandates, your provider can make or break the success of your efforts. Which means you have to be extra observant when it comes to third-party cybersecurity.
What Causes Data Risks? Here’s The Breakdown.
38% of organizations have no tracking methods regarding their risk management program internally or externally – Ponemon Institute “Data Risks Study”
Compliance regulations, like HIPAA, are written as though one party (your organization) is responsible for your security and compliance. When you dig further, you realize that the regulation requires that both you and your providers maintain the proper policies, technology, people, and processes to remain compliant. Compliance guidelines are difficult to interpret and do not outline who is responsible for what. But, rest assured you and your providers are legally on the hook to fulfill these responsibilities. “One common misconception when working with a compliant provider is that you, in turn, are automatically compliant without doing anything additional. This is not how it works,” says Casey. When assumptions are made, and responsibilities aren’t documented and managed on an ongoing basis, you can open your business up to vulnerabilities. Businesses shouldn’t just rely on contractual agreements, though; audits and assessments should be put in place to evaluate third-party cybersecurity, and you can use industry standards to vet providers. For example, prior to signing an agreement, did you ask your vendors what security certifications and accreditations they have in place to prove they can protect your systems and data? (I.e. The Health Information Trust Alliance certification – HITRUST)
There are many moving parts to your operations, and they all need to be tracked, monitored, and secured based on best practices. Although you may have additional challenges, our experts agree that the following are the most common data risks and top challenges in a shared security model:
- Acting on guidance that’s not prescriptive. (i.e. HIPAA regulations)
- Insufficient policies and processes. Just because you have policies and processes in place do not mean they are the right ones.
- Unclear roles and responsibilities.
- No accountability or oversight. Accountability for the correct handling of an organization’s third-party cybersecurity program is decentralized. No one department or function is responsible for ensuring that appropriate privacy and security language is included in all vendor contracts.
- Lack of due diligence in choosing and monitoring third parties.
- Insufficient technology.
The Importance of Roles, Responsibility, and Accountability
In a PwC Compliance Report, only 16% of executives indicated that they view their CEO as the compliance and champion at their organizations. Oversight and responsibility from the top down lays the strategic foundation for a culture of compliance and security. Management programs help ensure your organization conforms to all necessary regulatory requirements and facilitates communication between your CEO, CFO, security team, and compliance team. Appoint one person to centralize these points of view—technical, operations, and leadership—and maintain an inventory of all vendors and what information they can access.
Figure 1: Data Security Responsibilities and Activities – Internal
While operations, security, compliance, and IT take the lead on strategy, information custodians (i.e. Database Administrators) control access to your data and everyone plays a part in reducing vulnerabilities and reporting possible security incidents.
Shared Responsibility Varies by Model
When developing your security and compliance plans and negotiating your business associate agreements, remember that the division of responsibility varies based on the model(s) you use. If you use a combination of solutions in a hybrid IT model, you’ll need to manage your third-party cybersecurity efforts across your solutions and their corresponding providers. The division of responsibilities varies on a per-vendor basis, but here’s an example of what you can expect:
Figure 2: Shared Security Responsibility Matrix – Internal and External
Work with your providers to break down which physical and logical security methods they use to protect your environment and always use a layered approach. The last thing you want is to experience a data breach because you assume your vendors’ security efforts are sufficient. Target’s breach due to a HVAC system hack, for instance, could have been prevented with the use of two-factor authentication and anti-malware protection. A successful compliance and third-party cybersecurity strategy combine the right technology with people and processes. Audit your current efforts with these best practices:
- Data encryption in transit and at rest
- Multi-factor authentication
- Cloud encryption
- Audit logs showing access to data
- Vulnerability scanning, intrusion detection/prevention
- Hardware and OS patching
- Security Audits
People & Processes
- Audit operational and business processes
- Audit access management
- Enforce privacy policies
- Ensure cloud networks and connections are secure
- Evaluate security controls: physical infrastructure and facilities
- Data decommissioning process
- Be prepared for incidents
Remember that cybercriminals are always looking for the weakest link. Attackers cast a wide net for their attack, and do not typically spend their time targeting a single network. The objective is to gain entry, retrieve your valuable, sensitive data and get out quickly.
Tips on Choosing Secure Vendors
Before you sign a contract, make sure you address how our information is being accessed and processed, including with whom you have no direct relationship, like your vendors’ providers (4th parties). Determine what’s an acceptable level of security from your vendors, and ask for certifications, such as SOC, HITRUST, ISO 27001, PCI-DSS. Also, beware of these risk indicators:
- Turnover of the vendor’s key personnel
- IT glitches, operational failures and stoppages
- Outdated IT systems and equipment
- History of frequent data breach incidents
- Legal actions against the vendor
- Poorly written security and privacy policies and procedures
Although the shared responsibility model can be overwhelming, the efficiencies it affords your organization is well worth the effort. By focusing on your security and compliance controls and prioritizing documentation, you’ll increase visibility into your entire infrastructure and its security. Should a security event occur, your organization will be able to detect, prevent, and remediate the issue quickly.
More Resources on This Topic:
Third-Party Risk and What to Do About It
Why third-party cybersecurity matters
This post originally published on OnRamp.