Third-Party Security is Your Security

2024 Cybersecurity Predictions


Depending on third parties is inescapable. Every organization needs software, hardware, Internet connectivity, power, and buildings. It’s unlikely they’re going to do all those things themselves. That means that organizations must be dependent on others outside themselves. With that dependence comes risk.

F5 recently partnered with Ponemon Institute to survey CISOs. In the report, The Evolving Role of CISOs and their Importance to the Business, CISOs were asked:

Are your organization’s business partners, vendors, and other third parties held to high security standards?

  • Always — 22%
  • Yes, most of the time – 21%
  • Yes, some of the time – 29%
  • No – 28%

While 54% percent of the same survey respondents said they monitor third parties to ensure continued compliance with contractually required security requirements, only 21% said they hold third parties to a high security standard. Yet, interestingly, Beazley Insurance, in their breach insights blog from July 2017, said that third-party suppliers account for 30% of breaches overall.1

So, 28% of CISOs are ignoring 30% of their risk?

As my kids would say, “Seriously?”

To get some perspective, let’s look back at these serious security incidents from the past few years that involved third-party vendors:

Who are Third Parties?

Any vendor, customer or partner whose security failure can lead to a security failure of any of your critical assets or systems.

As well as partners with direct access to your critical systems like building management firms, co-location facility providers, IT contractors, and off-site backup services.

Also look at partners of critical dependencies such as Internet service providers, managed IT services vendors, and major software vendors.

Customers, business partners, and sub-tenants can also be third parties if they have network or physical access to your environment.

In many hospitals, internal clinics and medical service facilities are often run by different organizations than the encompassing hospital, yet they all often share the same network, which creates a patchwork of third-party security environments.

Compliance Requirements on Third Parties

Managing third-party risk isn’t just a good idea, in many cases, it’s the law. Your organization is required to contractually obligate security and privacy measures of third parties’ access to sensitive data if you:

These are just the direct regulations, there are many more that specify third-party security oversight but don’t get into specific detailed requirements like American12 banks and publicly traded companies.13

Third-Party Controls

What to do? Let’s learn from our fellow CISOs, per the same F5 and Ponemon report.

Set a Third-Party Security Policy

Security control should always begin with policy to communicate to the entire organization (and regulators) what your official stance is regarding a particular risk. In this case, you need a policy that says that your organization recognizes risk from third parties and will measure and control it to an acceptable level. Here’s how the surveyed CISOs shook out regarding this:

  • 27% — Establish a direct communication channel security and contracts/procurement
  • 46% — Establish objective security requirements or protocols for third parties
  • 34% — Establish security requirements and controls for cloud providers
  • 33% — Establish security procedures to ensure that the supply chain is not corrupted, contaminated, or disruptive to business
Set a Standard for Evaluating Third-Party Security

Now that you have a policy, which is a general statement, you need to bolster it with some details. This third-party standard establishes the baseline that third parties must meet, so communicate it to them before you have to rely on them. The standard also serves as the benchmark that your organization will use to measure the third-party security. Survey said:

  • 57% — Establish process in evaluating the security protection capability of third parties before engaging in business activities
  • 52% — Establish a vetting process to ensure all third parties are evaluated and screened against objective security requirements
Monitor Third-Party Security

With a policy and standard in place, now you can set up on-going processes to do that measuring and feedback. Survey said:

  • 54% — Monitor third parties to ensure continued compliance with contractually required security requirements
  • 44% — Periodically review third parties to objective security requirements
Enforce Violations from Standard

It’s one thing to set policies and measure against standards, but you need to something with those results or it’s all a waste of time. Survey said:

  • 53% — Ensure third-party contracts contain security, privacy, and responsibility/liability requirements in case of a breach
  • 37% — Establish enforcement actions and termination penalties against third parties that fail to comply with security requirements
  • 25% — Establish remediation procedures for third parties that fail to comply with security requirements

Lock It Down

Hopefully we’ve spelled out the specifics you need to put together a complete third-party security framework for your organization. Note where your peers are going and make it happen.



Source link
lol

Depending on third parties is inescapable. Every organization needs software, hardware, Internet connectivity, power, and buildings. It’s unlikely they’re going to do all those things themselves. That means that organizations must be dependent on others outside themselves. With that dependence comes risk. F5 recently partnered with Ponemon Institute to survey CISOs. In the report, The Evolving…

Leave a Reply

Your email address will not be published. Required fields are marked *