It is increasingly likely that one or more of the vendors or providers that you rely upon will experience a data breach or sensitive data disclosure of some kind in 2016. There are things that you can begin to do today, which will protect you and your organization from any breach suffered by your vendors. We will examine these steps today.
As the awareness and understanding of security breaches grow, it is somewhat comforting to see more organizations – big and small – start to pay more attention to what they need to do to properly protect their infrastructure and their information from an attack. Training, technology, and processes are all vital to that equation, and we’re beginning to see more traction in these areas.
There is, however, a mini-downside to all this corporate introspection. Most organizations have still given little or no thought to the risks that could arise from one of *their* vendors, suppliers or providers suffering a data breach.
In late 2015, T-Mobile customers were adversely affected by a breach of T-Mobile’s vendor, Experian. If your organization were to go through a similar experience, would you (and it) be prepared to comfort or reassure (or placate) your customers? Would you already have a good sense of your vendor’s security posture, or would you also be placed in a position where you had to say: “We will institute a thorough review of our relationship with Experian…”
Creating a strategy to counter a data breach
Here are some things you should consider implementing today, so that you can stay ahead of the curve as it relates to any surprise announcements that your vendors might have in store for you:
- Create one or more vendor risk profiles
- Establish security requirements for your vendors
- Verify that your vendors are pursuing a viable security program
- Ensure that your vendor contracts support your security goals
- Obtain breach notification procedures from your vendors
These items all fall under the heading of “Vendor Risk Management.” Setting up a simple Vendor Risk Management program is easier than you think, but it is well worth it in the long run.
Let’s review some of the key components:
1. Create one or more vendor risk profiles
You need to identify areas where your vendors increase risk for your organization, and determine your appetite for that risk, as well as some ways to mitigate it. The type of vendor has a great deal to do with the scope and type of risk. Your phone company, HR benefits provider, cleaning company, accounting firm, and payroll firm, all provide different kinds of services for your organization, and all have access to different types of information for your organization, employees and possibly customer.
Start by looking at who has what information, and what might be the fallout in the worst case for each vendor. Once you’ve worked that out, prioritize the vendor list and start with the riskiest ones first.
2. Establish security requirements for your vendors
You don’t have to reinvent the wheel here. Start with a common set of security controls, such as those found in NIST SP 800-53, or those associated with the PCI compliance standard, and map out some important requirements that you want to make sure your current vendors – and any new vendors – support these requirements.
Here are some things that you will want to include:
- Information Security Policies
- Acceptable computer use
- Safeguarding of technology
- Safeguarding of information
- Proper use of encryption
- Incident Response
- Breach Notification
- Change management policies
- Disaster Recovery plan/program
- Securely designed and maintained infrastructure
- Securely designed and maintained applications
- Vetted HR policies, such as background check
- Annual 3rd party security testing of infrastructure and applications
Don’t try to make the initial list super comprehensive. Start small and focused, and review the list regularly, and you will have many options to expand it to address business needs. Each vendor should have to provide updates annually.
3. Verify that your vendors are pursuing a viable security program
Now that you have your list, and you’ve checked it twice, you need to find out how your vendors are actually performing. You’re not likely to be in a position where you can just shadow them all day to prove that they are doing what they claim, so ask for specific artifacts from them once a year. Things like executive summaries (or, if you are really bold, full details) of compliance certification, and executive summaries of 3rd party external testing will give you a measure of assurance that the organization is on track – at least during the assessment period.
Whatever you do, don’t simply take it for granted that they are patching their systems regularly or deploying infrastructure securely without seeking some reasonable documentation to that effect.
4. Ensure that your vendor contracts support your security goals
Nothing says “I really mean it” like a contract. You should make every effort to have your contracts laid out such that your vendors bear some responsibility for breaches in which they are somewhat culpable. There are many ways to pursue this, and your level of success will depend on how good your legal counsel is vs the legal counsel of the vendor (size and clout of vendor are huge factors here, of course), but try to minimize your exposure for things which are controllable by other parties.
Getting your contracts with both customers and vendors to appropriately share responsibility with you in the matter of security is both important and touchy, but needless to say, everyone will be a bit more vigilant about items which are in contractual agreements and encased in legal language.
5. Obtain data breach notification procedures from your vendors
- Do you know what your vendor will do if it has a breach? Are you sure?
- When will they contact you? And by what means?
- How much information will they provide? What will you be able to tell your customers?
This is a very important item because it is the likely vehicle by which your own incident response and breach notification activities will be kicked into high gear.
If you do nothing else in the short-term, make sure you understand what your vendors believe they will be allow to do (or what they are prepared to do), should the not-quite-unthinkable happens.
By regularly identifying and assessing the risks that your vendors pose to your business, and by keeping behind them for evidence of maintaining a reasonable security program, you will be helping to manage your own risk profile. Take the time to get rid of excessively risky vendors, or mitigate the risk they pose by adding layers of encryption, or reducing the scope of data that you share with them.
While it is true that you cannot actually force your vendor to be secure, it may be that your Vendor Risk Management program will keep them on their toes, and reduce the risk that they suffer a huge data breach. And it will certainly keep you and your organization on its toes, ensuring that you keep the data in your stewardship as close to the vest as you can.
Start with a modest program, and grow it as you are able to manage it effectively. The goal is to have just enough process to effect real changes, rather than just add bureaucracy for bureaucracy’s sake.