Sage Advice - Cybersecurity Blog

The epic Target breach raised our awareness that third-party service providers are a significant cybersecurity risk. It showed us how an employee at an HVAC vendor could click a phishing link and result in 40 million credit / debit card numbers and 70 million customer and employee records being compromised.

Cloud computing has gained popularity over the past few years, and organizations large and small are utilizing a variety of cloud services to support their business needs.

Even more than five years later, the Target breach is still one of the top 10 data breaches of the 21st century. It was also a watershed moment for cybersecurity. Not only did it shine a spotlight on payment card security, it also brought to light the idea that third-party vendors are a potential cybersecurity risk that organizations need to consider.

It has become the norm for businesses today to rely on a multitude of third-party service providers and other vendors to support core business functions. It’s also pretty common for these third-party entities to have access to a company’s data and its internal systems. This interconnectivity presents an inherent risk that must be managed. After all, you can outsource the function, but never the responsibility.

If you’re like most businesses, you have a variety of third-parties that you rely on to support your core business functions. And in many cases, they have the ability to connect to your network. By providing them remote access, you are effectively increasing your potential attack surface for cybercriminals to exploit. So what happens if their systems aren’t secure? They could inadvertently open up a door to your network and allow a bad guy to get in.

Even when contracting with a third-party service provider or other vendor, protecting your data is always your responsibility. Establishing a vendor management program allows you to have proper oversight of these vendors, and is an essential element of your organization’s cyber resilience strategy. You need to understand how your critical and high-risk vendors manage their own internal control environment and/or their connection to yours, so you can ensure they will meet or exceed your internal policy and standards requirements.

In today’s business world, it’s pretty common to rely on third-parties to perform or support critical operations.  However, this reliance opens your organization up to cyber risk, especially if you work with vendors who have access to your customer and/or sensitive data or access to your internal network.  This access effectively expands your cyber-attack surface.  That’s why having a vendor management program should be a critical part of your operations.  You have sole responsibility for protecting your data – you can’t outsource that – so you need to understand how your vendors manage their own internal control environment and their connection to yours, so you can ensure it meets or exceeds your internal policy and standards requirements.

Since the hugely-publicized Target breach of 2013, the importance of understanding the cybersecurity environment of your business’ third-party vendors has grown.  This breach served, in part, as a catalyst for new requirements and best practices.  For example, in 2015, the Federal Financial Institutions Examination Council (FFIEC) updated their Business Continuity Booklet, which is one in the series of booklets that comprise the larger Information Technology (IT) Examination Handbook, to include Appendix J: Strengthening the Resilience of Outsourced Technology Services.  The new recommendations stated that continuity planning isn’t limited to just your organization, but extends to all outsourced and supplier relationships as well.   

Many of the recent cyber attacks in the news have something in common. A third-party vendor or affiliate is involved. Proper oversight of these third parties is an essential element of your institution’s cyber resilience strategy.  You can outsource the function, but never the responsibility.

You already know who your critical vendors are, right? But do you know all your vendors? If a regulator were to walk into your office and ask about Vendor Z, are you confident enough in your documentation that you’ll be able to explain Vendor Z to them?

Even though you have a handle on your critical vendors, it’s often the “minor” vendors that get us in trouble. If the regulators hear you say, “I’m sorry, I don’t know who Vendor Z is, but I’ll find out for you,” it makes them wonder if you really have a firm grasp on your Vendor Management program.