One of the main problems we face when preventing cyber attacks is that hackers work to anticipate where users are conscious of their vulnerabilities and where users won’t expect an attack. An increasingly common example of this is the exploitation of third-party vendors as an entry point into a company’s systems and databases.
A fish tank, for example, doesn’t exactly jump to mind when thinking of potential vulnerabilities, but was in fact the point of entry for a cyber attack on a U.S. casino. According a report from Darktrace, a casino installed an internet-connected thermometer to their aquarium, only to later find that someone was using this device to access and export data from the casino’s high roller database. Even the infamous Target breach occurred because of vulnerabilities coming from Target’s HVAC vendor.
Businesses should therefore not only monitor vulnerabilities within their own systems, but also determine efficient ways to validate that vendors are compliant with privacy standards. Here are four steps to make sure vendors are not leaving your business vulnerable:
- Risk Assessment: When working with companies, vendors will have contractual requirements in place, but many will vary with regards to the level do due diligence they perform beyond that. It is therefore important to determine what risks each of your vendors may present from a cybersecurity standpoint and categorize the level of due diligence needed according to the level of risk they present.
- Request Copy of Current Cyber Security Policies: It is important to understand exactly how your vendors handle privacy concerns, and what active steps they are taking to secure your data. Requesting and reviewing a vendor’s current cyber security policies will help you better understand the value your vendors are placing on privacy, and what measures they are taking. If a vendor has no cyber security policy in place, that might be a red flag.
- Review Vendors’ Privacy Compliance and Standards Reports: There are a variety of externally-verified reports available that certify a company’s compliance with privacy standards. AICPA’s Service Organization Control 2 Report (SOC 2), for instance, evaluates a company’s internal controls and procedures with regard to security, processing integrity, and privacy. An ISO/IEC 27000 certification is another way that companies can verify compliance with privacy standards.
- External and Internal Vulnerability Reviews: Lastly, it is important to regularly conduct vulnerability tests on vendors’ systems. External reviews, such as phishing tests and IP scans, will help assess vulnerabilities that may exist from the outside or from employees. Internal reviews, on the other hand, require on-site visits in order to identify and document vulnerabilities via assessment tool, interviews and manual inspection of key assets.
Following these steps will help to determined and mitigate information security vulnerabilities presented by third-party vendors. This is now, however, a static process. Threat landscapes change constantly and business models continue to evolve. Reviews of vendor vulnerabilities, therefore, should be conducting on a regular basis to ensure the security of your company’s information and assets.