Trusting third parties: Securing your enterprise ecosystem
The level of interconnection in today’s digital ecosystem has created tremendous opportunities for organizations to work together by extending capabilities and sharing data. However, having an interwoven ecosystem -- of service providers, contact centers, distributors, licensees, joint ventures and other third parties -- has created a much larger flank allowing attackers to skirt around security measures by targeting less secure connections among third parties. For example, recent security breaches that affected Target and Yahoo prove how dangerous unsecured third parties can be and that an organization can be blamed for security vulnerabilities it had little to do with.
In the Philippines, the third-party problem is real. Security risks can come from vendors that use poorly conceived, insecure business processes to manage systems. For example, service providers may connect through remote backdoor access for maintaining and supporting their clients’ internal systems. In some cases, service providers would use software that is no longer supported, full of vulnerabilities and impractical to patch. Vendors could also be using administrative passwords in systems installed at all their customers’ sites. And there could be instances when contact center agents put sticky notes around their cubicles with passwords to the organization’s systems or customers’ credit card information and personal information.
These situations may sound dismal but third-party service providers are not entirely to be blamed for this mess. Due to dynamic business requirements, speed-to-market pressures and a highly competitive environment, organizations simply purchase third-party services and software with operational benefits in mind while neglecting security and data privacy. We have seen organizations that do not pay close attention during contract negotiations. Some agreements do not even clearly identify who is responsible for safeguarding the organization’s information or notifying the organization in case of a data breach.
Organizations only realize the broken trust after a vendor’s fraudulent or unsecured activities are uncovered, like when a customer informs the organization that his or her personal information has been used for some dubious activity, or when management salaries are suddenly shared inappropriately.
The EY Global Information Security Survey 2016-17 confirms that third-party risk management is a major area of risk which is often overlooked, as evidenced by the following findings:
• 68% of respondents disclosed that they would not increase their information security spending even if a supplier was attacked -- even though a supplier may provide attackers with a direct route into the organization.
• 58% said they would not increase their spending if a major competitor was attacked -- despite the fact that cyber criminals often attack organizations that are similar in infrastructure and operating frameworks.
The report thus encourages organizations to be more mindful of the impact that their external network has on how they protect their crown jewels. With the increased risk from third parties, a comprehensive risk management system becomes essential in order for organizations to validate the trust they place on third parties -- which should cover the entire life cycle of the relationship, from selection to implementation to exiting. This system should include the following elements:
1. KNOW YOU THIRD PARTIES
Understand your ecosystem. Maintain a database of third parties, relationship owners, contract terms, reputation and locations of operations. What level of access do they have to your critical information? Which business processes are outsourced to them? What security and privacy measures are in place? Are these third parties further subcontracting activities to their own vendors?
Using the gathered information, the organization should then take steps to determine the risk profile for each third party in its ecosystem.
2. INCLUDE SECURITY AND DATA PRIVACY PROVISIONS IN AGREEMENTS
By creating a risk profile for the third party, the organization can determine the level of security controls and activities that the third party should have in place. These security requirements should also become mandatory terms during agreement negotiations. Should the agreement involve the sharing or outsourced processing of personal data, the organization must include the required data sharing or outsourcing stipulations of the Data Privacy Act of 2012 to ensure that proper safeguards are in place to ensure the confidentiality, integrity and availability of personal data processed; and prevent its use for unauthorized purposes.
Cybersecurity, data privacy, legal and compliance teams should always be present during purchasing, contracting, onboarding and exit discussions. These steps can go a long way toward setting the tone of discussion about the seriousness of cybersecurity and data privacy to the organization.
3. TRUST, BUT VERIFY
Third parties, as well as the security and data privacy provisions in their contracts, should be reviewed on an ongoing basis throughout the relationship with the organization. The frequency of reviews should be dependent on the risk profile, regulatory requirements or changes in the threat environment.
We should note that contract terms and imposition of penalties are important, but should not be the focus of these periodic reviews. Ultimately, security is a joint responsibility. Putting a third party on the defensive may just push them to refute all findings and provide excuses just to avoid penalties. Instead, the organization should set the tone of trust and transparency in their third-party relationships.
Organizations should also consider using assurance options as proof of independent assessments of their third parties’ security and privacy practices such as the Service Organization Control 2, the Payment Card Industry Data Security Standard, or ISO 27001:2013.
4. NEVER BE COMPLACENT
Given the increasing complexity of the cyber world, organizations can no longer rely solely on ad hoc processes and one-time assessments of their third parties. The organization must maintain effective processes to manage risks and incorporate lessons learned from third-party relationships in a way that is consistent with its goals, organizational objectives and risk appetite.
5. INVOLVE LEADERSHIP AND THE RIGHT RELATIONSHIPS
In the digital world, trust in third parties is rapidly becoming a strategic foundation for any business. This necessitates that the responsibility for third-party risk management should move from operational staff to organizational leadership. At the end of the day, management will be accountable for third-party risks and breaches. As a rule, most companies vet the business integrity and performance of third-party vendors and business contacts before granting accreditation. In the same way, reviewing the third party’s security and data privacy systems should become a standard operating procedure for companies to further manage and mitigate the new risks arising in the digital age.
This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinion expressed above are those of the author and do not necessarily represent the views of SGV & Co.
Alvin G. Manuel is a Director from the Advisory Services Group of SGV & Co.