There can be a lot of moving parts when it comes to implementing a cybersecurity policy. And the truth is, you can have air-tight security procedures for your internal systems and still be vulnerable to attack through any third-party companies you use. We’d like to think the bad guys are faceless, nameless people in the digital ether. In fact, they are often individuals we know, who are either careless or intentional in their abuse of our systems. According to the 2019 Verizon Data Breach Investigations Report (DBIR), privilege misuse (of which this type is) accounts for 48% of incidents reported and 15% of all breaches.
This is why certain laws are beginning to include regulations involving the use of third-parties as a part of your overall cybersecurity protections. New York State Department of Financial Services’ (NYSDFS) Cyber Security Regulation is one such law. While the regulation itself went into effect in 2017, requirements regarding third-parties were rolled out this past March.
Conduct a Third-Party Audit
As a part of the NYSDFS’ Cyber Security Regulation, financial institutions will need to complete an audit of all third-parties and their cybersecurity policies. Here is a quick primer on what you should include in these audits:
Identification and Risk Assessment
Per NYSDFS regulations you’ll need to identify all third-party providers you use and conduct a thorough risk assessment for each one. Your risk assessment should focus on pinpointing vulnerabilities presented by the third-party based on the sensitivity of data provided and the third-party’s current security controls. Classify each provider based on the risks they present. Be serious about your third-party review process up to and including review of HR policies. For highly sensitive information, you might even consider running background checks on contracted parties yourself.
Put it On Paper
Make sure that the third party understands your security requirements and that they are built into any agreement that you have with them. A critical part of these policies is the inclusion of access restrictions. Every user should be given the least amount of privileges necessary to complete their work, and those with high risk should be given more restrictive access. Implementing Data Loss Prevention tools can also help monitor and restrict the ability to share information. Make sure that all third parties with access to your data utilize encryption for data at rest and in transit. Make sure there is a cyber awareness program in place and a solid incidence response plan.
And certainly, you will want to be notified and indemnified in the event of a breach on their end that impacts you.
Trust but Verify
For third parties with access to your data, it will be necessary to an audit of their security practices. There are third party certification bodies — SOC 2, ISO/IEC 27000 and HiTrust Certifications, for example — which can demonstrate that the third parties have satisfied the requirements of an external body. There are also organizations such as BitSight, SecurityScorecard and Upguard which can provide you with a report on your third parties based on external scans and other information.
In some cases, you will want to see for yourself and conduct an on-sight review to make sure that your critical third parties have the security posture you need. And, it also creates an opportunity to share and learn on both sides. These discussions can make everyone stronger.
Rinse and Repeat
As with all aspects of cybersecurity, you need to periodically re-assess your third-party provider’s security processes and adjust your own policies and procedures based on any new risks.
The Weakest Link…
doesn’t have to be your business partners. Appropriate dialogue and diligence can strengthen relationships and security postures.