A 2016 survey by the independent Ponemon Institute, shows that 56 percent of organizations have had a breach caused by one or more of their vendors.
Yet, fewer than one in five companies, 17 percent, felt their organization effectively managed third-party risks. Less than half said that managing outsourced relationship risks was a priority in their organization. That thinking has turned into a serious mistake for many.
Small businesses are soft targets
Hackers view small to medium size businesses as less protected and a potential back-door entry to larger organizations. Last year Target paid $18.5 million to 47 states for a 2013 breach created when criminals entered Target’s system through a refrigeration, heating, and air conditioning subcontractor. Yahoo also experienced a massive break-in caused by a third-party vendor.
Did the Target HVAC contractor gain back his reputation? The damage to smaller companies, with fewer resources to recover, can be devastating. Yet, more than half of companies don’t keep a comprehensive inventory of third parties that share their sensitive information—or are allowed free remote access to their network.
Also unsettling, is criminals can continue to create risks even ‘after’ vendor termination, taking advantage of patches and outdated software. Unfortunately, this is the soft underbelly—the entry point for many vendor-connected breaches.
Managed security can help lift the third-party burden
There’s a saying in the managed security industry that you’re only as secure as your ‘least secure’ contractor. Managed security can minimize the risk of hiring a third-party vendor if you can find the right one. Here are questions that can peel back their vulnerabilities and raise red flags.
Before hiring a managed security partner ask if they:
- Specialize in your market.
- Are audited by a third-party organization. For example, EO Johnson Locknet completes multiple audits and risk assessments each year, including a SOC2 audit.
- Have most of their services in-house. Fewer vendors mean bringing down the number of third-party vendors that will require your due diligence.
- Will reveal what services are subcontracted.
Preventing third-party breaches means evaluating your current IT security needs
Invite managed security companies to your site to meet. Let them put a trained eye on your current security.
Here are some questions they may ask you:
- Does your staff have the time, expertise, and resources to vet third-party vendors and do they know the warning signs of a potential vendor risk? A managed security partner is trained to look for trouble and raise the alarm.
- Does your staff have the time and resources to keep up with all the software updates and other security maintenance? Outdated software can be an open door to your system. A partner in managed security has the know-how to keep the ‘no entry’ sign-up for cybercriminals.
- Are you monitoring your system around the clock? Cybercriminals have eyes on you 24/7 trying to crack codes and find holes to reach your sensitive data. Think of managed security as round-the-clock surveillance. If a middle-of-the-night breach rears its head, the managed security provider should be working with you on it before your staff gets their morning coffee.
- Could your in-house staff take on other job responsibilities if they knew a managed security provider was watching your network for third-party intrusions and other breach events? Many businesses have found new opportunities to use staff time when they have the flexibility to leave the cybercriminals to the experts.
Managed security can help avoid third-party vendor breaches
Most likely you’ve done a good job vetting your primary vendors. Considering the heightened threats, it may be time to entertain the hiring of a managed security partner who can walk ‘downstream’ and make sure your primary vendors and their subcontractors can do no damage to your sensitive data, customers, and bottom line.
