Are You Reviewing Your Third Parties for Security Risks?

"This is the largest and most sophisticated attack the world has ever seen."

These words, spoken by Microsoft's Brad Smith to 60 Minutes, summarised months of panic from tens of thousands of companies the world over. Microsoft alone assigned hundreds of engineers to look into the fallout, but the closer they looked, the worse it seemed to get.

This was the SolarWinds attack, something we've written about extensively. But the horrifying scale of it wasn't achieved by Russian military hackers cracking into the systems of each individual of its 18,000 victims - they just had to attack one single third-party vendor, and it gave them the keys to the world. 

In this article, we discuss why third-party risk is now one of the single biggest cyber threats an organization can face, and offer tips on how to shore up your systems against such a threat.

Why you must review third party vendors for security risks

Businesses these days aren't just a part of the supply chain, but the global digital supply chain. This interconnected web of IT systems has enabled whole new heights of process efficiency, product improvement and technological innovation, but it's also created new cyber security risks.

When systems are connected, especially if one business uses another's software, that business puts itself in the hands of its vendor; if the vendor is not secure, the business is not secure. 

Cyber criminals know how to attack companies in this manner

SolarWinds was not an isolated incident. In fact, long before the 2020 attack (e.g. NotPetya) and still after (e.g. Kaseya), we've seen multiple compromises of the global digital supply chain. Advanced persistent threat (APT) groups know how to use third-party vendors to wiggle into other organizations' systems, using a variety of increasingly complex attack techniques to disrupt and destroy.

Ten years ago cyber attacks may not have been as common, vicious or widespread. But the world has changed. If you'd like to learn more about the scope of the problem, some of these links may help:

• Learn the scale of cyber security risks in Germany, 2021
• Discover the most common cyber attack techniques of 2021
• Read the EU Agency for Cyber Security's mapping of supply chain attacks 2020-2021

5 steps to better manage third-party cyber security risks

1. Review third-party agreements with security personnel 

Who is responsible for reviewing vendor contracts in your company? It's very common for organizations to have a general agreement which is renewed automatically once signed, say every one or two years. Typically this agreement will not be reviewed again, or is written/agreed by lower departments and the language ends up quite generic, or templated.

Additionally, such contracts are also often signed by a head-of-department who is not actually managing those systems. Perhaps someone from finance or legal will be involved, but it's a contract for a complex IT system.

These are all problems for a few reasons

• No one with the right expertise has eyes on the agreement.
• The agreement is worded in a vague or generic manner, leaving key details out.
• If it's automatically renewing, the person who originally signed the agreement and is responsible may not work for the company anymore.

Solving this problem

The first best step you can take to solving this problem is having a few more key personnel involved right from the contract review and signing process. This would include an expert from the applicable department, your security team, and your data privacy team (such as a data protection officer, or DPO). 

• Bonus tip: Good synergy between cyber security teams and the DPO is key for many processes in an organization, not just the contract review process.

In this way, your experts will review the agreement from their respective standpoint (i.e. technological or security) and go through all the bullet points and checklists of each article asking the right questions.

Their job is to make sure that the systems mentioned do what they say they do, are connected to what they say they're connected to, that there's a chain of command (and responsibility) at both ends of the agreement, and that the vendor has been reviewed for red flags - see below.

2. Audit existing third-party agreements for relevancy and compliance

Reviewing new agreements is one thing, but you must also check existing agreements. After all, what if you've already signed a red flag contract?

Apply the same advice above to your existing contracts, combing through them with your individual experts.

Here's what you need to check for

• Is it still relevant? As in, do the systems involved still do what they say they do in the agreement? If a contract has been auto-renewing for years then the systems and data it mentions may have evolved since then, growing potentially into something different, or just being used in a different way.
• Is it still compliant? Regulations are always evolving and they may have evolved since the signing of an agreement. For example, with regards to data and the GDPR, if you're sharing data with a vendor, where does it go? Outside the EU? Suddenly you're dealing with a different set of rules. You might be in breach.

• Is the chain of responsibility still in place? It must be clear in a contract who is responsible for what, and who takes ownership in the event that something goes wrong. Who takes blame, the cost to repair, who fixes issues? It cannot be vague. Check who is responsible, accountable, and managing this from an operational standpoint.

3. Try to examine your vendors for security red flags

Alongside any contractual agreements, your security personnel and DPO should be involved in reviewing third parties themselves for red flags.

But how much can we really ask our vendors about their security?

Well, you probably can't go into their office and demand to see every little detail about their policies and review every line of code, but you can still find out quite a lot by asking the right questions and paying attention.

Workshops, demos, reading documentations, all of these activities will give you a glimpse into the system to some degree, and more importantly, offer opportunities to ask about security concerns. You could ask to audit their system or review its components, and many vendors will be happy to show you - after all, from their perspective their honesty will be helping to sell their product.

• Bonus tip: If the contract review process includes security personnel, they can ask for a clause in the agreement which obliges the vendor to receive an audit and give over all the relevant information that is asked of them.

Here's a list of things to review

From the earliest points of contact with a vendor, review all of the below. Again, they may not provide you every single minute detail, but they are obligated to answer basic security and business continuity questions and if they are shy about their security, this is perhaps one of the biggest red flags of all. 

• See how they are managing their IT systems.
• Do they have a business continuity plan?
• Which standards are they adhering to?
• Is their company certified with the ISO or another security framework?
• Where are they storing their source code and how is it protected? What type of password encryption is in place? 
• Bonus tip: For extra peace of mind you can also investigate their industry more widely. What are its threats? What are its risks? Understanding these could help you predict future problems, and prepare for them.

4. Keep a diverse set of suppliers

It feels convenient to lock into a single, major vendor and access a raft of tools from them. Their tools might be designed to work well together, or perhaps it just seems easier to sign one agreement rather than many. But this might not be good for your security risk.

Assess your risk appetite and ask if you should be keeping a more diverse set of suppliers. This will help you in three areas:

• Cybersecurity: Should one vendor get hacked, only a part of your system is exposed. You can isolate it and fix it while maintaining the health of the other systems (after auditing them first, to see if the intrusion spread).
• Business continuity: If one vendor goes down, you don't lose everything.
• Regulatory compliance: When it comes to cloud technology, regulators are increasingly worried about concentration risk and vendor lock-in. Staying diverse could help your business stay ahead of future changes in law. Multicloud is a potential solution here.

Learn more: "5 multicloud security challenges and how to address them"

5. Don't rush into an agreement

Don't rush into any agreements because the salesperson wowed you, or you like the big-brand name - always review different vendors. 

You may hear that major brands are working with a particular vendor, and while this is certainly a good sign, it doesn't mean you should automatically do the same. Their risk appetite, security posture and cybersecurity capabilities will all be different to yours and therefore they might have assessed the risk differently.

Focusing on fewer rather than more vendors means you may overlook a lot of better options - better functionality, less cost, a salesperson who might be able to provide a better agreement or contract. 

Here's a practical tip to help you avoid rushing

Before setting your sights on any one brand, analyze maybe four or five vendors that provide the same or similar services. Look for other features, like better or more local support, frequency of security patches, the 'vibe' you get from their customer service people (pushy, or friendly?).

Still not confident? We can help 

Supply chain compromise is a huge risk, and we understand that you still might feel nervous about it even after following our five steps. After all, the more vendors you work with, the more you may feel you are at risk and the more complex it may be to review each one - and keep auditing them over time - to feel peace of mind that they are secure. 

We can help you.

At dig8ital, we're specialists in digital transformation and cyber security, and know how to blend technical and process evolution with change management at the human level. We stay on top of the world's evolving cyber security situation so you don't have to, and we're here to help.

To learn more about securing your business from the ground up, download our free webinar on transforming business through security architecture. Or, for a free maturity consultation about your unique needs, contact us today.