How Leading Organizations Are Mitigating Third Party Cyber Risk
September 2, 2015
By Jacob Olcott, BitSight Technologies
It was a crime that sounds more like a Hollywood blockbuster.
Last month, US law enforcement officials, along with the Securities and Exchange Commission, announced the indictment of 35 individuals who hacked into earnings press statements prior to their release. Armed with this insider information, the traders made more than $100 million in profitable trades before the earnings became public.
The case is a perfect illustration of why corporate executives are increasingly concerned about “third party cyber risk” - data breaches affecting critical vendors, contractors, and other business associates can have a material impact on your business too.
Cases in which third parties are the source of a data breach are on the rise. Aside from the most recent indictment, there is perhaps no more famous incident than the 2013 Target breach. In that incident, attackers penetrated the network of Target’s HVAC contractor, which had a direct connection into Target’s network in order to observe refrigeration units in each of the stores. Gaining access to the HVAC contractor, the attackers rode directly into the Target network and stole millions of credit card numbers. The result was not only a material financial loss for Target, but also the ousting of Target’s CEO, CIO, and near dismissal of several key board members.
Target was just one of a number of retailers that experienced third party breaches. Lowe’s, Goodwill, and other retailers have also been victimized through their third parties. And it’s not just retailers. The recent OPM data breach that compromised the data of millions of federal employees provides another example of how storing data on a third party server can have catastrophic consequences.
Attacks against third parties have become commonplace for three main reasons. First, organizations rely on more third parties for key business functions that used to be performed in-house. With payroll, HR, legal, sales, PR, and even product development functions being outsourced, more third parties have access to more sensitive business information, which presents a great challenge to protect that data. Second, our business environments have become more interconnected, which means that there are more third parties who have been granted direct access to our networks in order to perform their job functions. This privileged access is great to achieve business objectives, but it also creates greater risk. Third, as first party organizations improve their cyber defenses, attackers are increasingly searching for the weakest links. Smaller businesses often have fewer resources to protect their environments and represent easier attack vectors for the bad guys. Given their access to sensitive data or even the broader network itself, third parties represent great targets for the bad guys.
Solving these cybersecurity challenges presented by third parties is not easy. Clearly, bringing outsourced functions back in house is not the answer; those decisions were made for cost savings and efficiency, and it is difficult if not impossible to reverse the trends of outsourcing.
A number of sophisticated organizations are realizing that the answer lies in better managing these third party risks through a combination of contract, diligence, and monitoring.
First, organizations are reexamining their contracts to make sure their third parties are meeting an agreed-upon level of cybersecurity. Organizations typically begin with the third parties that present the greatest risk (what organizations have the most sensitive data - like PR statements about your next quarter’s earnings - or the greatest network access). Contracts can require that third parties meet a specific standard for cybersecurity (e.g. ISO 27001, NIST 800-53). It is not advised to simply require a “generic" level of security; in other words, don’t tell your third party that “adequate cybersecurity” is good enough for you!
Second, organizations are performing better cyber diligence for their third parties. Before entering into a contract or signing a renewal, they are asking for and receiving information about their third party’s cyber risk management efforts through questionnaires, audit reviews, and technical assessments like penetration testing or vulnerability scans.
While these initiatives are important, they only represent a snapshot in time. That’s why organizations are increasingly using continuous monitoring capabilities to monitor their vendors’ cybersecurity in real-time. Receiving real-time alerts when a third party’s network security is impacted is a critical way to reducing your third party cyber risk.
Last month’s monumental "insider trading” case should provide your organization with enough reasons to move forward on a third party cyber risk management program. As these incidents continue to rise, it is clear that the time to start is now.
About the Author
Jacob Olcott is VP of Business Development at BitSight Technologies. Olcott previously managed the cybersecurity consulting practice at Good Harbor Security Risk Management. Prior to Good Harbor, he served as legal advisor to the Senate Commerce Committee, and also served as counsel to the House of Representatives Homeland Security Committee. He completed his education at the University of Texas at Austin and the University of Virginia School of Law.